Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround?

Labels:
avatar
author-rank awoolford
Expert Contributor

Created on ‎03-22-2017 01:59 PM - edited ‎08-18-2019 03:46 AM

By convention, syslog listens on port 514, which is a privileged port (i.e. < 1024) meaning that only processes running as root can access them. For security reasons, Nifi runs as a non-root user and so the ListenSyslog processor can't listen on port 514.

Because port 514 is a standard for syslog, devices don't always have the option to output to different port, e.g. here's a screenshot from a firewall UI:

13909-syslog-screenshot.png

If port 514 is used for the `ListenSyslog` processor, the processor is unable to bind the port and error messages containing `Caused by: java.net.SocketException: Permission denied` show up in /var/log/nifi-app.log.

Is there an easy way to configure Nifi so that only ListenSyslog runs with root permissions? Or perhaps a workaround in Linux where messages destined for port 514 are forwarded to port 1514 so they can be picked up by the processor?

4,766 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jfrazee
Guru

Created ‎03-22-2017 02:20 PM

@Alex Woolford There are a few things you can try (none of which are really NiFi concerns):

  • iptables port redirection
  • Run something like HAproxy to forward tcp traffic from 514 to the selected port in NiFi
  • Use the cap_net_bind_service available in more recent linux kernels to allow the JVM to bind to privileged ports without running as root

View solution in original post

3,999 Views
2 REPLIES 2

avatar
author-rank jfrazee
Guru

Created ‎03-22-2017 02:20 PM

@Alex Woolford There are a few things you can try (none of which are really NiFi concerns):

  • iptables port redirection
  • Run something like HAproxy to forward tcp traffic from 514 to the selected port in NiFi
  • Use the cap_net_bind_service available in more recent linux kernels to allow the JVM to bind to privileged ports without running as root
4,000 Views

avatar
author-rank awoolford
Expert Contributor

Created ‎03-22-2017 03:46 PM

Thank you, @jfrazee. Per your suggestion (#2), I used HAproxy and it's working perfectly.

3,999 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements