We have updated our Terms of Service, Code of Conduct, and Addendum.

Trouble sending syslog to Stream

Matt Markwald
Matt Markwald Posts: 3

We have configured a Cribl syslog source to listen on TCP and UDP port 514 however when we check in status of source we see the state as red and a netstat -rn in the OS does not show the port as listening.

Best Answer

  • Brian Yearwood
    Brian Yearwood Posts: 15 ✭✭
    Answer ✓

    The network ports from 1–1024 are classed as privileged ports and by default Cribl does not have access to any of the network ports in this range for both the TCP and UDP transport protocols.

    Should you wish to use port 514 in your Cribl configuration you will need to:
    1/ Stop Cribl:
    - systemctl cribl stop


    2/ Edit an override file and add the following two entries:
    - systemctl edit cribl
    [Service]
    AmbientCapabilities=CAP_NET_BIND_SERVICE

    3/ write and save the file

    4/ You will then need to reload all unit files, this can be done by:
    - A restart of the host OS
    or
    - "systemctl daemon-reload"
    NB: (all sockets systemd listens on behalf of user configuration will remain accessible if a daemon-reload is carried out)

    5/ Start Cribl:
    - systemctl cribl start

    6/ Check by using the command "netstat -an | grep 514" to see if the port is in the listening state

Answers

  • Jon Rust
    Jon Rust Posts: 458 mod
    edited February 23

    Ammending this answer:

    https://community.cribl.io/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.cribl.io%2Fstream%2Fdeploy-single-instance%2F%23persisting-overrides-initd

    That docs link should help. If you're not running as root, you'll need to grant special privileges to the process running Cribl to listen on 514. That link should help you with the details. Ping back if you get stuck

  • Brian Yearwood
    Brian Yearwood Posts: 15 ✭✭
    Answer ✓

    The network ports from 1–1024 are classed as privileged ports and by default Cribl does not have access to any of the network ports in this range for both the TCP and UDP transport protocols.

    Should you wish to use port 514 in your Cribl configuration you will need to:
    1/ Stop Cribl:
    - systemctl cribl stop


    2/ Edit an override file and add the following two entries:
    - systemctl edit cribl
    [Service]
    AmbientCapabilities=CAP_NET_BIND_SERVICE

    3/ write and save the file

    4/ You will then need to reload all unit files, this can be done by:
    - A restart of the host OS
    or
    - "systemctl daemon-reload"
    NB: (all sockets systemd listens on behalf of user configuration will remain accessible if a daemon-reload is carried out)

    5/ Start Cribl:
    - systemctl cribl start

    6/ Check by using the command "netstat -an | grep 514" to see if the port is in the listening state