Getting Data In

Run Syslog-ng as non -root user

jnassar
Explorer

I need to run splunk as non-root user as per security policy of the customer. The challenge I have faced is with Syslog-ng.

if Syslog-ng runs as root, Splunk (running as non-root) cannot reald the logs collected sittign in var\log (owner is root)

So the idea is to run syslog-ng as non-root user (let's say the user that is running splunk) which should allow splunk running with the same non-root user to read the syslog files.

is this feasible? anyone has seen/done this before?

thanks

0 Karma

ryankoss
New Member

,This recommendation of running as non-root here https://www.balabit.com/wiki/syslog-ng-faq-non-root doesn't seem to help. I'm getting the following permissions error(s)

syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)'
Error initializing message pipeline;

How are people getting past this?

Thanks

0 Karma

frobert
New Member

Hi, this should work, but it's possible that you hit a bug. Which version of syslog-ng are you using?

0 Karma

frobert
New Member

Another possibility is thaty the user doesn't have write permission to /dev, so it cannot remove the stale log socket, which causes the bind to fail.

You can create the log socket somewhere else (for example, under /var somewhere) and point a symlink to it from /dev.

Then you can give permissions to user to the directory where the log socket resides.

0 Karma

ryankoss
New Member

I'm using syslog-ng version 3.5.6

sudo /usr/sbin/syslog-ng --version
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Aug 21 2014 18:17:06
Available-Modules: basicfuncs,cryptofuncs,csvparser,afsocket-notls,confgen,afsocket-tls,system-source,dbparser,afprog,linux-kmsg-format,afsocket,affile,afuser,afstomp,syslogformat

Is there anything special I need to have in my syslog-ng.conf to make this work? I basically have the default with some filters and two destinations that I have added for particular facilities.

Thanks!

0 Karma

kristian_kolb
Ultra Champion

Not really familiar with syslog-ng, but if you use logrotate for rotating logs, you can set file permissions on the logs each time they rotate to 640 (rw-r--r--) with the owner of syslog-ng (or whatever account you use) and group of splunk.

In your logrotate.d-scripts you could add

create 640 syslog-ng splunk

Hope this helps,

Kristian

cvajs
Contributor

i think the better option is of course to not run things as root when they dont need to, better yet, non-root in chroot environment is ideal. start syslog-ng per the link i provided. i will also suggest to run syslog-ng not as same uid as splunkd. you can configure syslog-ng.conf with destination owner,group,perm settings for the files. files should be owned by syslog, grouped with splunkd uid, and perms 640. so, you can run syslog-ng as one uid, splunkd as another uid, and you can have syslog-ng write files using yet another uid, etc. do not rely on logrotate to handle owner,group,perm.

0 Karma

cvajs
Contributor
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...