-
Title
syslog-ng PE Fails to Spoof Source IP/Hostname Due to Raw Socket Permission Denial -
Description
When attempting to configure syslog-ng Premium Edition using a non-root user to spoof the original source IP and hostname in forwarded logs, the following error occurs:
Error initializing raw socket, spoof-source support disabled; error='libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted\x0a'
-
Cause
Linux systems restrict raw socket creation for non-root users unless explicitly granted via capabilities (CAP_NET_RAW).
-
Resolution
Modify systemd service file /lib/systemd/system/syslog-ng.service.
1. Add CAP_NET_RAW in AmbientCapabilities.
2. Reload systemd.
# systemctl daemon-reload3. Restart syslog-ng.
# systemctl start syslog-ng4. Check systemd journal for startup messages.
# journalctl -eu syslog-ng5. Check the running process.
# ps axu | grep syslog-ng