Run Syslog-ng as non -root user

Question

I need to run splunk as non-root user as per security policy of the customer. The challenge I have faced is with Syslog-ng.
if Syslog-ng runs as root, Splunk (running as non-root) cannot reald the logs collected sittign in varlog (owner is root)

So the idea is to run syslog-ng as non-root user (let's say the user that is running splunk) which should allow splunk running with the same non-root user to read the syslog files.

is this feasible? anyone has seen/done this before?

thanks

Answer 1

1

Not really familiar with syslog-ng, but if you use logrotate for rotating logs, you can set file permissions on the logs each time they rotate to 640 (rw-r--r--) with the owner of syslog-ng (or whatever account you use) and group of splunk.

In your logrotate.d-scripts you could add

create 640 syslog-ng splunk

Hope this helps,

Kristian

link

answered 04 Apr '12, 06:39

kristian.kolb
10.2k●6●16
accept rate: 33%

i think the better option is of course to not run things as root when they dont need to, better yet, non-root in chroot environment is ideal. start syslog-ng per the link i provided. i will also suggest to run syslog-ng not as same uid as splunkd. you can configure syslog-ng.conf with destination owner,group,perm settings for the files. files should be owned by syslog, grouped with splunkd uid, and perms 640. so, you can run syslog-ng as one uid, splunkd as another uid, and you can have syslog-ng write files using yet another uid, etc. do not rely on logrotate to handle owner,group,perm.

(04 Apr '12, 07:12) cvajs

Answer 2

1	http://www.balabit.com/wiki/syslog-ng-faq-non-root link answered 04 Apr '12, 06:00 cvajs 241●2●8 accept rate: 5%

Run Syslog-ng as non -root user

Follow this question

Splunk Resources

Related questions