Getting Data In

Run Syslog-ng as non -root user

Explorer

I need to run splunk as non-root user as per security policy of the customer. The challenge I have faced is with Syslog-ng.

if Syslog-ng runs as root, Splunk (running as non-root) cannot reald the logs collected sittign in var\log (owner is root)

So the idea is to run syslog-ng as non-root user (let's say the user that is running splunk) which should allow splunk running with the same non-root user to read the syslog files.

is this feasible? anyone has seen/done this before?

thanks

0 Karma

New Member

,This recommendation of running as non-root here https://www.balabit.com/wiki/syslog-ng-faq-non-root doesn't seem to help. I'm getting the following permissions error(s)

syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)'
Error initializing message pipeline;

How are people getting past this?

Thanks

0 Karma

New Member

Hi, this should work, but it's possible that you hit a bug. Which version of syslog-ng are you using?

0 Karma

New Member

Another possibility is thaty the user doesn't have write permission to /dev, so it cannot remove the stale log socket, which causes the bind to fail.

You can create the log socket somewhere else (for example, under /var somewhere) and point a symlink to it from /dev.

Then you can give permissions to user to the directory where the log socket resides.

0 Karma

New Member

I'm using syslog-ng version 3.5.6

sudo /usr/sbin/syslog-ng --version
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Aug 21 2014 18:17:06
Available-Modules: basicfuncs,cryptofuncs,csvparser,afsocket-notls,confgen,afsocket-tls,system-source,dbparser,afprog,linux-kmsg-format,afsocket,affile,afuser,afstomp,syslogformat

Is there anything special I need to have in my syslog-ng.conf to make this work? I basically have the default with some filters and two destinations that I have added for particular facilities.

Thanks!

0 Karma

Ultra Champion

Not really familiar with syslog-ng, but if you use logrotate for rotating logs, you can set file permissions on the logs each time they rotate to 640 (rw-r--r--) with the owner of syslog-ng (or whatever account you use) and group of splunk.

In your logrotate.d-scripts you could add

create 640 syslog-ng splunk

Hope this helps,

Kristian

Contributor

i think the better option is of course to not run things as root when they dont need to, better yet, non-root in chroot environment is ideal. start syslog-ng per the link i provided. i will also suggest to run syslog-ng not as same uid as splunkd. you can configure syslog-ng.conf with destination owner,group,perm settings for the files. files should be owned by syslog, grouped with splunkd uid, and perms 640. so, you can run syslog-ng as one uid, splunkd as another uid, and you can have syslog-ng write files using yet another uid, etc. do not rely on logrotate to handle owner,group,perm.

0 Karma

Contributor