I recently installed nagios logserver on a RHEL 7 server. I am unable to get java to listen on a privileged port (below 1024). Without modifying the user to root. Your instructions state to add an entry to the /etc/sysconfig/logstash to enable the setcap. But this doesnt work with RHEL7. Is there a different parameter needed in the /etc/sysconfig/logstash for RHEL 7?
Logstash and Elasticsearch run fine when ES_USER=root ES_GROUP=nagios and LS_USER=root LS_GROUP=nagios. I'd prefer not to run the nagioslogserver application as root. Is there a workaround for this?
RHEL 7 running nagioslogserver as unprivileged user
-
roddergreg
- Posts: 59
- Joined: Wed Oct 22, 2014 4:35 am
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: RHEL 7 running nagioslogserver as unprivileged user
setcap should still work, but this is more than likely related to trusted path issues not so much permissions once setcap is enabled. Are you getting any specific error messages in the logstash logs or /var/log/messages when starting the service with a non-root user, setcap enabled, and low ports enabled? After starting the service, let's try a couple things:
Code: Select all
netstat -naop | grep 514 (assuming this is the port you are looking to open)
grep logstash /var/log/messages
tail -n 25 /var/log/logstash/logstash.logNagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
-
roddergreg
- Posts: 59
- Joined: Wed Oct 22, 2014 4:35 am
Re: RHEL 7 running nagioslogserver as unprivileged user
With setcap enabled in the /etc/sysconfig/logstash.
LS_USER=nagios
LS_GROUP=nagios.
Logstash fails immediatley. no ports open etc.
Has anyone running RHEL 7 used ports below 1024 with nagios logserver? Has it been tested previously?
LS_USER=nagios
LS_GROUP=nagios.
Logstash fails immediatley. no ports open etc.
Code: Select all
{:timestamp=>"2015-01-15T09:34:50.749000-0500", :message=>"UDP listener died", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/usr/local/nagioslogserver/logstash/lib/logstash/inputs/udp.rb:69:in `udp_listener'", "/usr/local/nagioslogserver/logstash/lib/logstash/inputs/udp.rb:50:in `run'", "/usr/local/nagioslogserver/logstash/lib/logstash/pipeline.rb:163:in `inputworker'", "/usr/local/nagioslogserver/logstash/lib/logstash/pipeline.rb:157:in `start_input'"], :level=>:warn}
Re: RHEL 7 running nagioslogserver as unprivileged user
You may need to be LS_USER=root to be able to use ports below 1024. Is there an option for you to just use a higher port range?
/Luke
-
roddergreg
- Posts: 59
- Joined: Wed Oct 22, 2014 4:35 am
Re: RHEL 7 running nagioslogserver as unprivileged user
This isn't really a viable option. Some of our network equipment doesn't allow you to change the port. Most of them send on port 514 over udp.
Re: RHEL 7 running nagioslogserver as unprivileged user
You can use iptables (or whatever RHEL 7 calls it now) to do port forwarding within the box. So you can forward port 514 to 5544 using iptables. I'm not an expert on this, but have followed these directions before to accomplish something similar. http://www.fclose.com/816/port-forwardi ... -iptables/
Also, if that doesn't work, you may be able to use SSH port forwarding to leave open an SSH tunnel that forward things to where you need them.
Also, if that doesn't work, you may be able to use SSH port forwarding to leave open an SSH tunnel that forward things to where you need them.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact: