I need to run splunk as non-root user as per security policy of the customer. The challenge I have faced is with Syslog-ng.
if Syslog-ng runs as root, Splunk (running as non-root) cannot reald the logs collected sittign in var\log (owner is root)
So the idea is to run syslog-ng as non-root user (let's say the user that is running splunk) which should allow splunk running with the same non-root user to read the syslog files.
is this feasible? anyone has seen/done this before?
thanks
,This recommendation of running as non-root here https://www.balabit.com/wiki/syslog-ng-faq-non-root doesn't seem to help. I'm getting the following permissions error(s)
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)'
Error initializing message pipeline;
How are people getting past this?
Thanks
Hi, this should work, but it's possible that you hit a bug. Which version of syslog-ng are you using?
Another possibility is thaty the user doesn't have write permission to /dev, so it cannot remove the stale log socket, which causes the bind to fail.
You can create the log socket somewhere else (for example, under /var somewhere) and point a symlink to it from /dev.
Then you can give permissions to user to the directory where the log socket resides.
I'm using syslog-ng version 3.5.6
sudo /usr/sbin/syslog-ng --version
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Aug 21 2014 18:17:06
Available-Modules: basicfuncs,cryptofuncs,csvparser,afsocket-notls,confgen,afsocket-tls,system-source,dbparser,afprog,linux-kmsg-format,afsocket,affile,afuser,afstomp,syslogformat
Is there anything special I need to have in my syslog-ng.conf to make this work? I basically have the default with some filters and two destinations that I have added for particular facilities.
Thanks!
Not really familiar with syslog-ng, but if you use logrotate
for rotating logs, you can set file permissions on the logs each time they rotate to 640 (rw-r--r--
) with the owner of syslog-ng
(or whatever account you use) and group of splunk
.
In your logrotate.d
-scripts you could add
create 640 syslog-ng splunk
Hope this helps,
Kristian
i think the better option is of course to not run things as root when they dont need to, better yet, non-root in chroot environment is ideal. start syslog-ng per the link i provided. i will also suggest to run syslog-ng not as same uid as splunkd. you can configure syslog-ng.conf with destination owner,group,perm settings for the files. files should be owned by syslog, grouped with splunkd uid, and perms 640. so, you can run syslog-ng as one uid, splunkd as another uid, and you can have syslog-ng write files using yet another uid, etc. do not rely on logrotate to handle owner,group,perm.