syslog-ng won't start because error binding socket with permission denied

systemd syslog syslog-ng systemctl
6,087

Solved!

As @Alexander pointed the problem was that SELinux was blocking the port but I'm receiving the logs in 515 so i cannot change it.

The solution was to set SELinux from enforcing to permissive with setenforce 0. Additionally, I've changed the config file to apply this configuration after restart by changing the line SELINUX=permissive

Share:
6,087

Related videos on Youtube

Jorge Cabrera
Author by

Jorge Cabrera

Updated on September 18, 2022

Comments

  • Jorge Cabrera
    Jorge Cabrera over 1 year

    I've recently rebooted one of my machines after a long time and a now I'm having a lot of problems with configuration changes.

    syslog-ng service is not working anymore with the following error from journactl:

    -- Unit syslog-ng.service has begun starting up.
Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: Got notification message from PID 18672, but reception only permitted for main PID 18670
Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.128987] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-con
Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129414] Error binding socket; addr='AF_INET(0.0.0.0:515)', error='Permission denied (13)'
Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129438] Error initializing message pipeline;
Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: Failed to start System Logger Daemon.
-- Subject: Unit syslog-ng.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has failed.
--
-- The result is failed.

    Here is the service configuration:

    Description=System Logger Daemon
Documentation=man:syslog-ng(8)
After=network.target

[Service]
Type=notify
User=root
Group=root
ExecStart=/usr/sbin/syslog-ng -p /var/run/syslogd.pid
ExecReload=/bin/kill -HUP $MAINPID
EnvironmentFile=-/etc/syslog-ng
EnvironmentFile=-/etc/default/syslog-ng
EnvironmentFile=-/etc/sysconfig/syslog-ng
StandardOutput=journal
StandardError=journal
Restart=on-failure

[Install]
WantedBy=multi-user.target

    So, as you can see it is supposed to be running as root but it's still returning a error='Permission denied (13)'. The funny thing is that if I try to run the command from console /usr/sbin/syslog-ng -p /var/run/syslogd.pid then it works perfectly without any kind of error.

    EDIT1:

    No other process is running in port 515, as I said when I try to run command manually it works perfectly.

    I'm adding syslog configuration:

    @version:3.7
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };


# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

    Configuration from apache.conf

    source s_net_t515 {
     network(
         transport("tcp")
         port(515)
         log-msg-size(2097152)
         max-connections(100)
     );
};

destination d_apachea { file("/opt/arcsight/logs/Apache/${HOST}.log"); };

destination d_apachee {
        file("/opt/arcsight/logs/Apache/error/${HOST}-error.log");
};

destination d_a {
        file("/opt/arcsight/logs/Apache/test.log");
};

filter f_apachea { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and not message('error]') and  message('.*\d+\s\d+\s\".*') ; };
filter f_apachee { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and message('error]'); };

log {
        source(s_net_t515);
        filter(f_apachea);
        destination(d_apachea);
};

log {
        source(s_net_t515);
        filter(f_apachee);
        destination(d_apachee);
};
    • Lewis M
      Lewis M over 5 years
      Do you have anything else already listening on port 515? For example, do you have rsyslog or another syslog-ng instance running? What does "netstat -anv | grep 515" give you?
    • JdeBP
      JdeBP over 5 years
      You need to edit the question to tell answerers what your configuration file says, paying particular attention to users and groups.
    • Mark Stosberg
      Mark Stosberg over 5 years
      Did you intend to bind to port 0.0.0.0? That means your log server is accessible from the network, not just locally.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Converting syslog-ng 3.0? format to 3.2 format
Systemctl - Failed at step Group spawning
/var/log/syslog 'systemd[1]: Time has been changed' message every 5 seconds
syslog-ng service not starting with systemd but command works fine
cannot re-enable sshd after systemd mask
systemctl cannot start service (code=exited status =0/success)
Process started with systemctl throws no errors, but does not appear in process list?
syslog-ng won't write to log file - "No such file or directory"
Ubuntu 16.04 Systemd not possible to use systemctl
systemd keeps stopping and restarting a service