0

I have installed nxlog to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec.

My process nxlog (launched by collector-sidecar) run as root :

# ps -ef | grep collector
root      1869     1  0 13:23 ?        00:00:03 /usr/bin/graylog-collector-sidecar
root      1905  1869  0 13:23 ?        00:00:29 /usr/bin/nxlog -f -c /etc/graylog/collector-sidecar/generated/nxlog.conf

In the nxlog.conf, I have :

User root
Group adm

The rights on the OSSEC logs are as follow (ossec:ossec for /var/ossec/logs):

# namei -l /var/ossec/logs/active-responses.log
f: /var/ossec/logs/active-responses.log
drwxr-xr-x root  root  /
drwxr-xr-x root  root  var
dr-xr-x--- root  ossec ossec
drwxr-x--- ossec ossec logs
-rw-r--r-- root  ossec active-responses.log

So, the user ossec and the members of the group OSSEC can read this file (I think).

I added the root to the group ossec :

# id
uid=0(root) gid=0(root) groupes=0(root),1005(ossec)

I tested with a reboot of my server but I read in the logs of nxlog :

ERROR apr_stat failed on file /var/ossec/logs/active-responses.log;Permission denied

When I chown to root the directory /var/ossec/logs to have :

# namei -l /var/ossec/logs/active-responses.log
f: /var/ossec/logs/active-responses.log
drwxr-xr-x root root  /
drwxr-xr-x root root  var
dr-xr-x--- root ossec ossec
drwxr-x--- root ossec logs
-rw-r--r-- root ossec active-responses.log

So, why when I put root to the ossec group, my nxlog process can't read this file ?

2
  • OSSEC and ossec are different groups. Commented Mar 20, 2018 at 15:27
  • sorry, problem of typo. I confirm the group ossec and not OSSEC
    – Sorcha
    Commented Mar 20, 2018 at 15:33

1 Answer 1

-1

Can you try removing User root from your nxlog.conf? It will be still running as root. Afair there was a bug with this in the CE.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .