We have configured a Cribl syslog source to listen on TCP and UDP port 514 however when we check in status of source we see the state as red and a netstat -rn in the OS does not show the port as listening.
Page 1 / 1
Ammending this answer:
https://community.cribl.io/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.cribl.io%2Fstream%2Fdeploy-single-instance%2F%23persisting-overrides-initd
That docs link should help. If you're not running as root, you'll need to grant special privileges to the process running Cribl to listen on 514. That link should help you with the details. Ping back if you get stuck
The network ports from 1–1024 are classed as privileged ports and by default Cribl does not have access to any of the network ports in this range for both the TCP and UDP transport protocols.
Should you wish to use port 514 in your Cribl configuration you will need to:
1/ Stop Cribl:
- systemctl cribl stop
2/ Edit an override file and add the following two entries:
- systemctl edit cribl
/Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
3/ write and save the file
4/ You will then need to reload all unit files, this can be done by:
- A restart of the host OS
or
- "systemctl daemon-reload"
NB: (all sockets systemd listens on behalf of user configuration will remain accessible if a daemon-reload is carried out)
5/ Start Cribl:
- systemctl cribl start
6/ Check by using the command "netstat -an | grep 514" to see if the port is in the listening state
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.