Logstash bind to port 514

Hello,
Is there a way to run logstash as nonroot user and to use port 514 (syslog plugin)?
I can not reconfigure all clients to other port...
Thank you .
AM

There are a few options listed http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l. I'd probably start with the iptables port redirection.

Hello,
Thank you for advice...
But I knew about this already.
Iptables way is really nice but I run dualstack (no nat table in ip6tables)...
There is no authbind in SL6.
Sudo - same as now runs as root.
NO SE linux here - too complex to setup and I am not the only admin here.
And java with setcap is useless (until something has changed since september).
That is why I ask here.
AM

Well, the fact that you knew about all that but had rejected them is information that you could've included in your first post. Unfortunately I believe the options brought up are what you have at your disposal.

Sorry for not telling that beforehand.
It is sad that none of this is feasible for me.
Thank you for your kind help.
AM

I tried set cap option but when set cap is enabled logstash service cannot be started.
following is my set cap command

setcap cap_net_bind_service=+epi /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2.x86_64/jre/bin/java

I am not sure which OS you are running. But I had nothing but trouble with the setcap method on Centos 7.3, where it worked on 6.8 without issue. So, as Magnus suggests, I tried the port redirection. But I leverage firewall-cmd rather than the iptables commands. Here are my working methods for forwarding syslog 514 to 5514:
#UDP Rule
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=5514:toaddr=127.0.0.1 --permanent
#TCP Rule
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=5514:toaddr=127.0.0.1 --permanent

Restart firewalld

sudo systemctl restart firewalld

Then, all I had to do was update my Logstash input conf to listen on 5514 instead of 514, events are flowing into Elasticsearch now, hope this helps!

Sawyer,

I have port forwarding setup and Logstash is able to collect events via 5514 but it doesn't look like the OS is actually listening on 514 in order to forward it.

Any ideas on this?

Hi arnydo,

It will not show it is listening, but you do need to make sure 514 is permitted on the firewall, then restart the firewalld service. I have it setup and events are flowing to 514 and forwarded to 5514, but only 5514 is actually listening.

If that doesn't resolve your issue, then you may need to check your zones in firewall-cmd and verify that you are adding the forwarding to the appropriate zone where the interface is attached. For instance, I have all my internal syslog forwarding to the interface tied to my INTERNAL zone. So, if the zone isn't your default, you'll need to specify it when you create the port forwarding. You also may need to enable masquerade to permit forwarding locally. Below is an example of my zone configuration and some of the commands required to set it up this way.

Additionally, you can also remove the 127.0.0.1 from the setting, if it is null it will default back to localhost, see below:

Example of my complete updated config where I used the internal zone for my interface:

CENTOS 7.3 CONFIG

Specify which interface should default to the applicable zone.

# Edit network config at /etc/sysconfig/network-scripts/ifcfg-interfacename
# Add [ZONE=internal] without brackets

Config Firewall ACLs

sudo firewall-cmd --set-default-zone=internal
sudo firewall-cmd --permanent --zone=internal --add-port=514/tcp #syslog port
sudo firewall-cmd --permanent --zone=internal --add-port=514/udp #syslog port
sudo firewall-cmd --permanent --zone=internal --add-port=5514/tcp #syslog forwarded port
sudo firewall-cmd --permanent --zone=internal --add-port=5514/udp #syslog forwarded port
sudo firewall-cmd --permanent --zone=internal --add-port=5600/tcp #kibana
sudo firewall-cmd --permanent --zone=internal --add-port=5601/tcp #kibana
sudo firewall-cmd --permanent --zone=internal --add-port=9600/tcp #logstash
sudo firewall-cmd --permanent --zone=internal --add-port=9200/tcp #elasticsearch
sudo firewall-cmd --permanent --zone=internal --add-port=9300/tcp #elasticsearch
sudo firewall-cmd --zone=internal --add-masquerade --permanent

sudo systemctl restart network.service
sudo systemctl restart firewalld

sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=5514 --permanent
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=5514 --permanent
sudo systemctl restart firewalld

firewall-cmd --list-all-zones
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=internal --query-masquerade

LOGSTASH SYSLOG INPUT CONFIG

[elasticsearch@blf-logstash-001 ~]$ cat /etc/logstash/conf.d/20-network-syslog.conf
input {
udp {
port => 5514
type => network
}
tcp {
port => 5514
type => network
}
}

Thank you for your quick reply!
I have followed your steps exactly and seem to have the same result...

Try from another server, loopback to 514 probably will not be permitted. I get the same response when done from the logstash server, but from another server it goes through no problem.

from the listening server

from another server

Perfect! This indeed worked from another server.

Thank you so much for your assistance with this!

Glad I could help!