Search code examples
ubuntudebianforwardingsyslog-ngqradar

Syslog-ng service error on restart - syslog forward to Qradar

Hopefully my qeustion is in the right place.

I am currently trying to forward syslogs from an Ubuntu machine to a Qradar machine. They're on the same network and i already managed to get Rsyslog to work, but it isn't supported by Qradar. Therefore, i had to switch to Syslog-ng.

The official IBM documentation states that it's as easy as adding some lines to the /etc/syslog-ng/syslog-ng.conf file:

 source qr_source {
    internal();
    system();
};
filter qr_filter {
    facility(auth, authpriv);
};
destination qr_destination {
    tcp("<qradar_ip_address>" port(514));
};
log{
    source(qr_source);
    filter(qr_filter);
    destination(qr_destination);
};

Unfortunately when i do so and have to restart syslog-ng, it will give me erorrs.

******@****:/etc/syslog-ng$ sudo service syslog-ng restart
Job for syslog-ng.service failed because the control process exited with error code.
See "systemctl status syslog-ng.service" and "journalctl -xe" for details.
******@*****:/etc/syslog-ng$ syslog-ng
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
[2021-05-23T19:53:13.519942] Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Address already in use (98)'
[2021-05-23T19:53:13.536721] Error creating persistent state file; filename='/var/lib/syslog-ng/syslog-ng.persist-', error='Permission denied (13)'

Obviously i am sudo user. I also noticed that the line of code that generate the error is the log related one. I did add SYSLOGNG_OPTS="--no-caps". I did try stop and start instead of restart. I literally have no idea how to proceed here and i'm kind of desperate. If anyone can offer any help it would be greatly appreciated.

Thank you.

Solution

  • My workaround is a bit peculiar. I was desperate as well, trying to run syslog-ng in a docker container. The configuration that worked is as follows. Replace the last line in /etc/default/syslog-ng with SYSLOGNG_OPTS="--caps cap_sys_admin,cap_chown,cap_dac_override,cap_net_bind_service,cap_fowner=eip". However, run syslog-ng --no-caps when it comes to the execution. I hope you will get as surprised as I was