-
Título
udp-balancer() Source Not Working When Using Non-Root Account -
Descrição
The udp-balancer() source is not working when running Syslog-ng with an account other than the root account.
The following error is found in the logs: Error loading BPF program -
Causa
The service account being used to run Syslog-ng does not have the correct capabilities to access the eBPF (Extended Berkeley Packet Filter) plugin in the Linux kernel which is required to use the udp-balancer() source within Syslog-ng. -
Resolução
Please add the following capabilities to the service account's ambient capabilities:SYS_ADMIN (CAP_SYS_ADMIN)
Once done the service account running Syslog-ng PE should have access to the eBPF plugin and the udp-balancer() should work.
NOTE - If Syslog-ng continues to encounter issues with starting please see the following for additional permissions that may be required:
CAP_NET_BIND_SERVICE - Required for binding to ports below 1024 (such as UDP 514).
CAP_CHOWN - Required for creating files with owner/group other than the current user.
CAP_FOWNER - Bypasses permission checks on operations that normally require the filesystem UID of the process to match the UID of the file.
CAP_DAC_OVERRIDE - Bypass file read, write, and execute permission checks.
CAP_DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks