syslog-ng won't start because error binding socket with permission denied
Solved!
As @Alexander pointed the problem was that SELinux was blocking the port but I'm receiving the logs in 515 so i cannot change it.
The solution was to set SELinux from enforcing
to permissive
with setenforce 0
.
Additionally, I've changed the config file to apply this configuration after restart by changing the line SELINUX=permissive
Related videos on Youtube
Jorge Cabrera
Updated on September 18, 2022Comments
-
Jorge Cabrera over 1 year
I've recently rebooted one of my machines after a long time and a now I'm having a lot of problems with configuration changes.
syslog-ng service is not working anymore with the following error from journactl:
-- Unit syslog-ng.service has begun starting up. Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: Got notification message from PID 18672, but reception only permitted for main PID 18670 Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.128987] WARNING: window sizing for tcp sources were changed in syslog-ng 3.3, the configuration value was divided by the value of max-con Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129414] Error binding socket; addr='AF_INET(0.0.0.0:515)', error='Permission denied (13)' Oct 01 17:13:48 SIEM-ConnLinuxLR syslog-ng[18670]: [2018-10-01T17:13:48.129438] Error initializing message pipeline; Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Oct 01 17:13:48 SIEM-ConnLinuxLR systemd[1]: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed.
Here is the service configuration:
Description=System Logger Daemon Documentation=man:syslog-ng(8) After=network.target [Service] Type=notify User=root Group=root ExecStart=/usr/sbin/syslog-ng -p /var/run/syslogd.pid ExecReload=/bin/kill -HUP $MAINPID EnvironmentFile=-/etc/syslog-ng EnvironmentFile=-/etc/default/syslog-ng EnvironmentFile=-/etc/sysconfig/syslog-ng StandardOutput=journal StandardError=journal Restart=on-failure [Install] WantedBy=multi-user.target
So, as you can see it is supposed to be running as root but it's still returning a
error='Permission denied (13)'
. The funny thing is that if I try to run the command from console/usr/sbin/syslog-ng -p /var/run/syslogd.pid
then it works perfectly without any kind of error.EDIT1:
No other process is running in port 515, as I said when I try to run command manually it works perfectly.
I'm adding syslog configuration:
@version:3.7 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (1000); chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf"
Configuration from apache.conf
source s_net_t515 { network( transport("tcp") port(515) log-msg-size(2097152) max-connections(100) ); }; destination d_apachea { file("/opt/arcsight/logs/Apache/${HOST}.log"); }; destination d_apachee { file("/opt/arcsight/logs/Apache/error/${HOST}-error.log"); }; destination d_a { file("/opt/arcsight/logs/Apache/test.log"); }; filter f_apachea { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and not message('error]') and message('.*\d+\s\d+\s\".*') ; }; filter f_apachee { (netmask(***.***.***.5/32) or netmask(***.***.***.6/32)) and message('error]'); }; log { source(s_net_t515); filter(f_apachea); destination(d_apachea); }; log { source(s_net_t515); filter(f_apachee); destination(d_apachee); };
-
Lewis M over 5 yearsDo you have anything else already listening on port 515? For example, do you have rsyslog or another syslog-ng instance running? What does "netstat -anv | grep 515" give you?
-
JdeBP over 5 yearsYou need to edit the question to tell answerers what your configuration file says, paying particular attention to users and groups.
-
Mark Stosberg over 5 yearsDid you intend to bind to port 0.0.0.0? That means your log server is accessible from the network, not just locally.
-