[英]Syslog-ng service error on restart - syslog forward to Qradar
Hopefully my qeustion is in the right place.希望我的问题是在正确的地方。
I am currently trying to forward syslogs from an Ubuntu machine to a Qradar machine.我目前正在尝试将系统日志从 Ubuntu 机器转发到 Qradar 机器。 They're on the same network and i already managed to get Rsyslog to work, but it isn't supported by Qradar.
他们在同一个网络上,我已经设法让 Rsyslog 工作,但 Qradar 不支持它。 Therefore, i had to switch to Syslog-ng.
因此,我不得不切换到 Syslog-ng。
The official IBM documentation states that it's as easy as adding some lines to the /etc/syslog-ng/syslog-ng.conf file: IBM 官方文档指出,只需在 /etc/syslog-ng/syslog-ng.conf 文件中添加几行代码即可:
source qr_source {
internal();
system();
};
filter qr_filter {
facility(auth, authpriv);
};
destination qr_destination {
tcp("<qradar_ip_address>" port(514));
};
log{
source(qr_source);
filter(qr_filter);
destination(qr_destination);
};
Unfortunately when i do so and have to restart syslog-ng, it will give me erorrs.不幸的是,当我这样做并且必须重新启动 syslog-ng 时,它会给我带来错误。
******@****:/etc/syslog-ng$ sudo service syslog-ng restart
Job for syslog-ng.service failed because the control process exited with error code.
See "systemctl status syslog-ng.service" and "journalctl -xe" for details.
******@*****:/etc/syslog-ng$ syslog-ng
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
[2021-05-23T19:53:13.519942] Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Address already in use (98)'
[2021-05-23T19:53:13.536721] Error creating persistent state file; filename='/var/lib/syslog-ng/syslog-ng.persist-', error='Permission denied (13)'
Obviously i am sudo user.显然我是 sudo 用户。 I also noticed that the line of code that generate the error is the log related one.
我还注意到生成错误的代码行是与日志相关的代码行。 I did add SYSLOGNG_OPTS="--no-caps".
我确实添加了 SYSLOGNG_OPTS="--no-caps"。 I did try stop and start instead of restart.
我确实尝试停止并启动而不是重新启动。 I literally have no idea how to proceed here and i'm kind of desperate.
我真的不知道如何在这里进行,我有点绝望。 If anyone can offer any help it would be greatly appreciated.
如果有人可以提供任何帮助,将不胜感激。
Thank you.谢谢你。
My workaround is a bit peculiar.我的解决方法有点奇怪。 I was desperate as well, trying to run syslog-ng in a docker container.
我也很绝望,试图在 docker 容器中运行 syslog-ng。 The configuration that worked is as follows.
有效的配置如下。 Replace the last line in
/etc/default/syslog-ng
with SYSLOGNG_OPTS="--caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=eip"
.将
/etc/default/syslog-ng
中的最后一行替换为SYSLOGNG_OPTS="--caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=eip"
。 However, run syslog-ng --no-caps
when it comes to the execution.但是,在执行时运行
syslog-ng --no-caps
。 I hope you will get as surprised as I was我希望你会像我一样感到惊讶
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.