How to run Syslog-ng PE under a non-privileged user on Linux (4292397)

To run Syslog-ng PE under Linux elevated privileges needed e.g. to listen on privileged ports or write log files.

RESOLUTION

In the example the syslog-ng application will be run under the user "syslogng" with "syslogng" group membership. The syslogng user will not have log in access.
The username and the groupname is in bold in the examples.

All of the commands must be run with the root user.

1. Stop syslog-ng.

systemctl stop syslog-ng

2. Create a non-privileged user.

useradd -d /opt/syslog-ng -s /bin/false -U -M syslogng

3. Change the permissions on syslog-ng installation directory.

chown -R syslogng:syslogng /opt/syslog-ng

4. Modify systemd service file /lib/systemd/system/syslog-ng.service.

a. Add the following lines into the [Service] section. (Client mode)

User=syslogng
Group=syslogng
AmbientCapabilities=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
WorkingDirectory=/opt/syslog-ng/var

To run syslog-ng PE in relay or server mode add "CAP_NET_BIND_SERVICE" capability to AmbientCapabilities.

To configure the udp-balancer add "CAP_BPF" capability to AmbientCapabilities. On some operating systems this may be insufficient and you will need to add "CAP_SYS_ADMIN". "CAP_BPF" is a narrower subset or rights but must be supported by the Linux kernel. 

b. Add "--no-caps" syslog-ng option to ExecStart=

ExecStart=/opt/syslog-ng/sbin/syslog-ng -F --no-caps --enable-core $SYSLOGNG_OPTIONS

5. Reload systemd.

systemctl daemon-reload

6. Restart syslog-ng.

systemctl start syslog-ng

7. Check systemd journal for startup messages.

journalctl -eu syslog-ng

8. Check the running process.

ps axu | grep syslog-ng

Notes

• Syslog-ng configuration syntax can be checked with the following command.

su - syslogng -c "/opt/syslog-ng/sbin/syslog-ng -s --no-caps"