Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

ListenSyslog won't listen on port 514 because it's a privileged port. Is there a workaround?

Labels:
avatar
author-rank awoolford
Expert Contributor

Created on ‎03-22-2017 01:59 PM - edited ‎08-18-2019 03:46 AM

By convention, syslog listens on port 514, which is a privileged port (i.e. < 1024) meaning that only processes running as root can access them. For security reasons, Nifi runs as a non-root user and so the ListenSyslog processor can't listen on port 514.

Because port 514 is a standard for syslog, devices don't always have the option to output to different port, e.g. here's a screenshot from a firewall UI:

13909-syslog-screenshot.png

If port 514 is used for the `ListenSyslog` processor, the processor is unable to bind the port and error messages containing `Caused by: java.net.SocketException: Permission denied` show up in /var/log/nifi-app.log.

Is there an easy way to configure Nifi so that only ListenSyslog runs with root permissions? Or perhaps a workaround in Linux where messages destined for port 514 are forwarded to port 1514 so they can be picked up by the processor?

9,018 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jfrazee
Guru

Created ‎03-22-2017 02:20 PM

@Alex Woolford There are a few things you can try (none of which are really NiFi concerns):

  • iptables port redirection
  • Run something like HAproxy to forward tcp traffic from 514 to the selected port in NiFi
  • Use the cap_net_bind_service available in more recent linux kernels to allow the JVM to bind to privileged ports without running as root

View solution in original post

8,251 Views
2 REPLIES 2

avatar
author-rank jfrazee
Guru

Created ‎03-22-2017 02:20 PM

@Alex Woolford There are a few things you can try (none of which are really NiFi concerns):

  • iptables port redirection
  • Run something like HAproxy to forward tcp traffic from 514 to the selected port in NiFi
  • Use the cap_net_bind_service available in more recent linux kernels to allow the JVM to bind to privileged ports without running as root
8,252 Views

avatar
author-rank awoolford
Expert Contributor

Created ‎03-22-2017 03:46 PM

Thank you, @jfrazee. Per your suggestion (#2), I used HAproxy and it's working perfectly.

8,251 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements