Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Run Syslog-ng as non -root user

jnassar
Explorer
‎04-04-2012 05:51 AM

I need to run splunk as non-root user as per security policy of the customer. The challenge I have faced is with Syslog-ng.

if Syslog-ng runs as root, Splunk (running as non-root) cannot reald the logs collected sittign in var\log (owner is root)

So the idea is to run syslog-ng as non-root user (let's say the user that is running splunk) which should allow splunk running with the same non-root user to read the syslog files.

is this feasible? anyone has seen/done this before?

thanks

0 Karma
Reply

ryankoss
New Member
‎02-13-2016 12:27 PM

,This recommendation of running as non-root here https://www.balabit.com/wiki/syslog-ng-faq-non-root doesn't seem to help. I'm getting the following permissions error(s)

syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)'
Error initializing message pipeline;

How are people getting past this?

Thanks

0 Karma
Reply

frobert
New Member
‎02-15-2016 01:17 AM

Hi, this should work, but it's possible that you hit a bug. Which version of syslog-ng are you using?

0 Karma
Reply

frobert
New Member
‎02-15-2016 04:08 AM

Another possibility is thaty the user doesn't have write permission to /dev, so it cannot remove the stale log socket, which causes the bind to fail.

You can create the log socket somewhere else (for example, under /var somewhere) and point a symlink to it from /dev.

Then you can give permissions to user to the directory where the log socket resides.

0 Karma
Reply

ryankoss
New Member
‎02-15-2016 04:06 AM

I'm using syslog-ng version 3.5.6

sudo /usr/sbin/syslog-ng --version
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Aug 21 2014 18:17:06
Available-Modules: basicfuncs,cryptofuncs,csvparser,afsocket-notls,confgen,afsocket-tls,system-source,dbparser,afprog,linux-kmsg-format,afsocket,affile,afuser,afstomp,syslogformat

Is there anything special I need to have in my syslog-ng.conf to make this work? I basically have the default with some filters and two destinations that I have added for particular facilities.

Thanks!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-04-2012 06:39 AM

Not really familiar with syslog-ng, but if you use logrotate for rotating logs, you can set file permissions on the logs each time they rotate to 640 (rw-r--r--) with the owner of syslog-ng (or whatever account you use) and group of splunk.

In your logrotate.d-scripts you could add

create 640 syslog-ng splunk

Hope this helps,

Kristian

Reply

cvajs
Contributor
‎04-04-2012 07:12 AM

i think the better option is of course to not run things as root when they dont need to, better yet, non-root in chroot environment is ideal. start syslog-ng per the link i provided. i will also suggest to run syslog-ng not as same uid as splunkd. you can configure syslog-ng.conf with destination owner,group,perm settings for the files. files should be owned by syslog, grouped with splunkd uid, and perms 640. so, you can run syslog-ng as one uid, splunkd as another uid, and you can have syslog-ng write files using yet another uid, etc. do not rely on logrotate to handle owner,group,perm.

0 Karma
Reply

cvajs
Contributor
‎04-04-2012 06:00 AM

http://www.balabit.com/wiki/syslog-ng-faq-non-root

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...