Page 1 of 1
RHEL 7 running nagioslogserver as unprivileged user
Posted: Wed Jan 14, 2015 12:49 pm
by roddergreg
I recently installed nagios logserver on a RHEL 7 server. I am unable to get java to listen on a privileged port (below 1024). Without modifying the user to root. Your instructions state to add an entry to the /etc/sysconfig/logstash to enable the setcap. But this doesnt work with RHEL7. Is there a different parameter needed in the /etc/sysconfig/logstash for RHEL 7?
Logstash and Elasticsearch run fine when ES_USER=root ES_GROUP=nagios and LS_USER=root LS_GROUP=nagios. I'd prefer not to run the nagioslogserver application as root. Is there a workaround for this?
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Wed Jan 14, 2015 4:14 pm
by sreinhardt
setcap should still work, but this is more than likely related to trusted path issues not so much permissions once setcap is enabled. Are you getting any specific error messages in the logstash logs or /var/log/messages when starting the service with a non-root user, setcap enabled, and low ports enabled? After starting the service, let's try a couple things:
Code: Select all
netstat -naop | grep 514 (assuming this is the port you are looking to open)
grep logstash /var/log/messages
tail -n 25 /var/log/logstash/logstash.log
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Thu Jan 15, 2015 9:38 am
by roddergreg
With setcap enabled in the /etc/sysconfig/logstash.
LS_USER=nagios
LS_GROUP=nagios.
Logstash fails immediatley. no ports open etc.
Code: Select all
{:timestamp=>"2015-01-15T09:34:50.749000-0500", :message=>"UDP listener died", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/usr/local/nagioslogserver/logstash/lib/logstash/inputs/udp.rb:69:in `udp_listener'", "/usr/local/nagioslogserver/logstash/lib/logstash/inputs/udp.rb:50:in `run'", "/usr/local/nagioslogserver/logstash/lib/logstash/pipeline.rb:163:in `inputworker'", "/usr/local/nagioslogserver/logstash/lib/logstash/pipeline.rb:157:in `start_input'"], :level=>:warn}
Has anyone running RHEL 7 used ports below 1024 with nagios logserver? Has it been tested previously?
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Fri Jan 16, 2015 10:50 am
by lgroschen
You may need to be LS_USER=root to be able to use ports below 1024. Is there an option for you to just use a higher port range?
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Thu Jan 22, 2015 12:31 pm
by roddergreg
This isn't really a viable option. Some of our network equipment doesn't allow you to change the port. Most of them send on port 514 over udp.
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Thu Jan 22, 2015 12:47 pm
by eloyd
You can use iptables (or whatever RHEL 7 calls it now) to do port forwarding within the box. So you can forward port 514 to 5544 using iptables. I'm not an expert on this, but have followed these directions before to accomplish something similar.
http://www.fclose.com/816/port-forwardi ... -iptables/
Also, if that doesn't work, you may be able to use SSH port forwarding to leave open an SSH tunnel that forward things to where you need them.
Re: RHEL 7 running nagioslogserver as unprivileged user
Posted: Thu Jan 22, 2015 4:20 pm
by scottwilkerson