堆栈内存溢出
  简体   繁体   English

重启时出现 Syslog-ng 服务错误 - syslog 转发到 Qradar

[英]Syslog-ng service error on restart - syslog forward to Qradar

 原文  2021-05-23 19:43:20       ubuntu/ debian/ forwarding/ syslog-ng/ qradar

问题描述

Hopefully my qeustion is in the right place.希望我的问题是在正确的地方。

I am currently trying to forward syslogs from an Ubuntu machine to a Qradar machine.我目前正在尝试将系统日志从 Ubuntu 机器转发到 Qradar 机器。 They're on the same network and i already managed to get Rsyslog to work, but it isn't supported by Qradar.他们在同一个网络上,我已经设法让 Rsyslog 工作,但 Qradar 不支持它。 Therefore, i had to switch to Syslog-ng.因此,我不得不切换到 Syslog-ng。

The official IBM documentation states that it's as easy as adding some lines to the /etc/syslog-ng/syslog-ng.conf file: IBM 官方文档指出,只需在 /etc/syslog-ng/syslog-ng.conf 文件中添加几行代码即可:

 source qr_source {
    internal();
    system();
};
filter qr_filter {
    facility(auth, authpriv);
};
destination qr_destination {
    tcp("<qradar_ip_address>" port(514));
};
log{
    source(qr_source);
    filter(qr_filter);
    destination(qr_destination);
};

Unfortunately when i do so and have to restart syslog-ng, it will give me erorrs.不幸的是,当我这样做并且必须重新启动 syslog-ng 时,它会给我带来错误。

******@****:/etc/syslog-ng$ sudo service syslog-ng restart
Job for syslog-ng.service failed because the control process exited with error code.
See "systemctl status syslog-ng.service" and "journalctl -xe" for details.
******@*****:/etc/syslog-ng$ syslog-ng
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
[2021-05-23T19:53:13.519942] Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Address already in use (98)'
[2021-05-23T19:53:13.536721] Error creating persistent state file; filename='/var/lib/syslog-ng/syslog-ng.persist-', error='Permission denied (13)'

Obviously i am sudo user.显然我是 sudo 用户。 I also noticed that the line of code that generate the error is the log related one.我还注意到生成错误的代码行是与日志相关的代码行。 I did add SYSLOGNG_OPTS="--no-caps".我确实添加了 SYSLOGNG_OPTS="--no-caps"。 I did try stop and start instead of restart.我确实尝试停止并启动而不是重新启动。 I literally have no idea how to proceed here and i'm kind of desperate.我真的不知道如何在这里进行,我有点绝望。 If anyone can offer any help it would be greatly appreciated.如果有人可以提供任何帮助,将不胜感激。

Thank you.谢谢你。

1 个解决方案

解决方案1
 0  2021-07-06 13:35:12

My workaround is a bit peculiar.我的解决方法有点奇怪。 I was desperate as well, trying to run syslog-ng in a docker container.我也很绝望,试图在 docker 容器中运行 syslog-ng。 The configuration that worked is as follows.有效的配置如下。 Replace the last line in /etc/default/syslog-ng with SYSLOGNG_OPTS="--caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=eip" ./etc/default/syslog-ng中的最后一行替换为SYSLOGNG_OPTS="--caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=eip" However, run syslog-ng --no-caps when it comes to the execution.但是,在执行时运行syslog-ng --no-caps I hope you will get as surprised as I was我希望你会像我一样感到惊讶

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 syslog-ng用于多个来源 - syslog-ng for multiple sources 使用宏自定义日志目标 syslog-ng - Customizing log destination syslog-ng using macros 带有 mysql phpmyamdin 的 Syslog-NG 不实时存储数据? - Syslog-NG with mysql phpmyamdin not storing data real time? tomcat 服务出现错误并具有连续的 Syslog - tomcat service getting error and having contionous Syslog 防止将 systemd 服务日志转发到 syslog,而不影响发送到 syslog 的其他服务日志 - Prevent forwarding of systemd service logs to syslog without affecting other service logs sent to syslog docker 系统日志 | 如何配置 docker 以启用 syslog - docker syslog | how to configure docker to enable syslog PhantomJS并记录到系统日志 - PhantomJS and logging to the syslog 如何在 ubuntu 中查看系统日志? - How to view syslog in ubuntu? 将系统日志保存到特定文件中 - keeping syslog into a specific file 如果不重新启动守护程序,Log4j SyslogAppender将不会登录到syslog - Log4j SyslogAppender won't log to syslog without daemon restart
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM