Hopefully my qeustion is in the right place.
I am currently trying to forward syslogs from an Ubuntu machine to a Qradar machine. They're on the same network and i already managed to get Rsyslog to work, but it isn't supported by Qradar. Therefore, i had to switch to Syslog-ng.
The official IBM documentation states that it's as easy as adding some lines to the /etc/syslog-ng/syslog-ng.conf file:
source qr_source {
internal();
system();
};
filter qr_filter {
facility(auth, authpriv);
};
destination qr_destination {
tcp("<qradar_ip_address>" port(514));
};
log{
source(qr_source);
filter(qr_filter);
destination(qr_destination);
};
Unfortunately when i do so and have to restart syslog-ng, it will give me erorrs.
******@****:/etc/syslog-ng$ sudo service syslog-ng restart
Job for syslog-ng.service failed because the control process exited with error code.
See "systemctl status syslog-ng.service" and "journalctl -xe" for details.
******@*****:/etc/syslog-ng$ syslog-ng
syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'
[2021-05-23T19:53:13.519942] Error opening control socket, bind() failed; socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Address already in use (98)'
[2021-05-23T19:53:13.536721] Error creating persistent state file; filename='/var/lib/syslog-ng/syslog-ng.persist-', error='Permission denied (13)'
Obviously i am sudo user. I also noticed that the line of code that generate the error is the log related one. I did add SYSLOGNG_OPTS="--no-caps". I did try stop and start instead of restart. I literally have no idea how to proceed here and i'm kind of desperate. If anyone can offer any help it would be greatly appreciated.
Thank you.
