question Re: ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround? in Archives of Support Questions (Read Only)

ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround?

awoolford — Sun, 18 Aug 2019 10:46:58 GMT

By convention, syslog listens on port 514, which is a privileged port (i.e. < 1024) meaning that only processes running as root can access them. For security reasons, Nifi runs as a non-root user and so the ListenSyslog processor can't listen on port 514.

Because port 514 is a standard for syslog, devices don't always have the option to output to different port, e.g. here's a screenshot from a firewall UI:

If port 514 is used for the `ListenSyslog` processor, the processor is unable to bind the port and error messages containing `Caused by: java.net.SocketException: Permission denied` show up in /var/log/nifi-app.log.

Is there an easy way to configure Nifi so that only ListenSyslog runs with root permissions? Or perhaps a workaround in Linux where messages destined for port 514 are forwarded to port 1514 so they can be picked up by the processor?

Re: ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround?

jfrazee — Wed, 22 Mar 2017 21:20:41 GMT

@Alex Woolford There are a few things you can try (none of which are really NiFi concerns):

iptables port redirection
Run something like HAproxy to forward tcp traffic from 514 to the selected port in NiFi
Use the cap_net_bind_service available in more recent linux kernels to allow the JVM to bind to privileged ports without running as root

Re: ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround?

awoolford — Wed, 22 Mar 2017 22:46:59 GMT

Thank you, @jfrazee. Per your suggestion (#2), I used HAproxy and it's working perfectly.