The situation: you need to send logs from an old piece of equipment to logstash running on a CentOS 8, for storing your logs on ElasticSearch.
The problem
The device is old and doesn’t support changing the default syslog port from 514/udp to something different, like port 5140/udp. Unfortunately this can happen, for example on virtual appliances like ZeroShell, where there’s no way to change the syslog port from the default one, but there’s a quick solution to this!
What I’m going to show you is how to bind any process on any privileged port, while running it as unprivileged user
Why
This is a security feature, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you. It would be really dangerous to allow system-wide to any service to bind to a non privileged port, because ports from 1 to 1023 are indeed privileged!
BTW, this is not a guide on how to set the listening port of logstash, but rather to allow java to bind to a port < 1024.
How
The procedure is very easy. First of all we need to find the path of the java process bundled with logstash, and the path of the libjli.so library.
The 2 paths should looks like this:
/usr/share/logstash/jdk/bin/java
/usr/share/logstash/jdk/lib/jli
Once you have the path of the 2 files, you can start. Enter the following commands as root.
setcap CAP_NET_BIND_SERVICE=+eip /usr/share/logstash/jdk/bin/java; getcap /usr/share/logstash/jdk/bin/java # this allows java to bind to port > 1024
echo "/usr/share/logstash/jdk/lib/jli" < /etc/ld.so.conf.d/java.conf # this will be used by ldconfig
ldconfig; ldconfig -v -p | grep libjli # checking if the library we need is found in the cache
reboot
When the system is loaded, start the service and check the status and if it bounded to the right port.
systemctl start logstash; journalctl -xef -u logstash # start the service and check the logs
systemctl status logstash # check the status of the service
ss -tlnp | grep 514 # check if logstash successfully bound to 514
At this point you should have your logstash up and running, and most important listening to port 514.