Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Splunk started as non-root cannot bind ports?

ralphw_SAIC
Path Finder
‎12-07-2015 12:16 PM 
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 is reserved for splunk 2 splunk
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 will negotiate new-s2s protocol
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.502 -0500 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: Permission denied

Any idea of what could be causing this? Nothing is using port 550. If I start Splunk as root it binds port 550 without an issue.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-08-2015 05:08 AM

we don't use iptables. i did find one thing about setcap, but still trying to figure it out as it does not seem to work.

0 Karma
Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-09-2015 06:52 AM

Unfortunately I have not found a workaround for the shared libraries issue. Guess this will have to be a one off machine till I get this worked out.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-08-2015 11:44 AM

Hi ralphw_SAIC,

I found these two links:
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-July/007455.html
https://wiki.apache.org/httpd/NonRootPortBinding
The first is about setcap for Splunk, the second a generic from Apache but does also apply to Splunk.

Please mark this as answered, because your initial question is answered - thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...