sazizan
November 11, 2024
These instructions were made using Rocky Linux 9.4. This platform was chosen because Rocky Linux 9.x should be bug-for-bug compatible with Enterprise Linux.
Download EPEL Repo
Download the Extra Packages for Enterprise Linux (EPEL)
Note: Replace the 9 with the appropriate version for your OS.
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
rpm -Uvh epel-release-latest-9.noarch.rpm
Download Syslog-NG Repo File
See the following link for other architectures: https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng48
wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng48/repo/epel-9/czanik-syslog-ng48-epel-9.repo -O /etc/yum.repos.d/syslog-ng.repo
Install and Enable Syslog-NG
dnf install syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng
Remove RSYSLOG (Optional)
dnf erase rsyslog -y
Check Version
syslog-ng --version
These steps will create a non-privileged user named syslogng and use that account to setup Syslog-NG to run under.
Create User
useradd -m -d /home/syslogng -U syslogng
passwd syslogng
chown -R syslogng:syslogng /etc/syslog-ng
Modify Syslog-NG Service
Open the syslog-ng service file
vi /lib/systemd/system/syslog-ng.service
Under [Service] add the “no-caps” to the ExecStart line
ExecStart=/usr/sbin/syslog-ng -F –no-caps $SYSLOGNG_OPTS -p /var/run/syslogd.pid
Add the following four lines to the [Service] Section
User=syslogng
Group=syslogng
AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE
WorkingDirectory=/etc/syslog-ng
Reload The systemctl Daemon and Restart Syslog-NG
systemctl daemon-reload
systemctl restart syslog-ng
Verify that Syslog-NG is running as the non-privileged account syslogng:
ps aux | grep syslog-ng
Update SUDOERS
visudo
Add the following under the appropriate section to allow the syslogng user to manage the syslog-ng service
syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop syslog-ng
syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl start syslog-ng
syslogng ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart syslog-ng
Restart the syslog-ng service using the syslogng user
sudo systemctl stop syslog-ng
sudo systemctl start syslog-ng
sudo systemctl restart syslog-ng
1. https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions
2. https://support.oneidentity.com/kb/261520/how-to-run-syslog-ng-pe-under-a-non-privileged-user-on-linux
3. https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/12