Installing Syslog-NG on Linux

Installing Syslog-NG
Uncategorized

Table of Contents

Installation

These instructions were made using Rocky Linux 9.4.  This platform was chosen because Rocky Linux 9.x should be bug-for-bug compatible with Enterprise Linux.

Download EPEL Repo



Download the Extra Packages for Enterprise Linux (EPEL)

Note: Replace the 9 with the appropriate version for your OS.

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
rpm -Uvh epel-release-latest-9.noarch.rpm

Download Syslog-NG Repo File

 

See the following link for other architectures: https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng48

 

 

wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng48/repo/epel-9/czanik-syslog-ng48-epel-9.repo -O /etc/yum.repos.d/syslog-ng.repo

Install and Enable Syslog-NG

dnf install syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng

Remove RSYSLOG (Optional)

dnf erase rsyslog -y

Check Version

syslog-ng --version

Running as Unprivileged User

These steps will create a non-privileged user named syslogng and use that account to setup Syslog-NG to run under.

Create User

useradd -m -d /home/syslogng -U syslogng
passwd syslogng
chown -R syslogng:syslogng /etc/syslog-ng

Modify Syslog-NG Service

Open the syslog-ng service file

vi /lib/systemd/system/syslog-ng.service

Under [Service] add the “no-caps” to the ExecStart line

ExecStart=/usr/sbin/syslog-ng -F –no-caps $SYSLOGNG_OPTS -p /var/run/syslogd.pid

Add the following four lines to the [Service] Section

User=syslogng
Group=syslogng
AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE
WorkingDirectory=/etc/syslog-ng

Reload The systemctl Daemon and Restart Syslog-NG

systemctl daemon-reload
systemctl restart syslog-ng

Verify that Syslog-NG is running as the non-privileged account syslogng:

ps aux | grep syslog-ng

Update SUDOERS

visudo

Add the following under the appropriate section to allow the syslogng user to manage the syslog-ng service

syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop syslog-ng
syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl start syslog-ng
syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart syslog-ng

Restart the syslog-ng service using the syslogng user

sudo systemctl stop syslog-ng
sudo systemctl start syslog-ng
sudo systemctl restart syslog-ng

References

1. https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions

2. https://support.oneidentity.com/kb/261520/how-to-run-syslog-ng-pe-under-a-non-privileged-user-on-linux

3. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/12