Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Splunk started as non-root cannot bind ports?

ralphw_SAIC
Path Finder
‎12-07-2015 12:16 PM 
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 is reserved for splunk 2 splunk
12-07-2015 15:08:37.498 -0500 INFO  TcpInputConfig - IPv4 port 550 will negotiate new-s2s protocol
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.498 -0500 ERROR TcpInputProc - Could not bind to port IPv4 port 550
12-07-2015 15:08:37.502 -0500 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: Permission denied

Any idea of what could be causing this? Nothing is using port 550. If I start Splunk as root it binds port 550 without an issue.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-07-2015 12:42 PM

Hi ralph_SAIC,

this is not a Splunk problem, this is based on the so called privileged ports. The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feature of your OS, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

If you want to use the port 550 with Splunk, create a new Splunk tcp input on port 1550 and use a iptables rule to route input for port 550 to the Splunk port 1550:

 /usr/sbin/iptables -t nat -A PREROUTING -m tcp -p tcp --dport 550 -j REDIRECT --to-ports 1550

Your Sysadmin can do this for you.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-08-2015 05:08 AM

we don't use iptables. i did find one thing about setcap, but still trying to figure it out as it does not seem to work.

0 Karma
Reply
Solved! Jump to solution

ralphw_SAIC
Path Finder
‎12-09-2015 06:52 AM

Unfortunately I have not found a workaround for the shared libraries issue. Guess this will have to be a one off machine till I get this worked out.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-08-2015 11:44 AM

Hi ralphw_SAIC,

I found these two links:
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-July/007455.html
https://wiki.apache.org/httpd/NonRootPortBinding
The first is about setcap for Splunk, the second a generic from Apache but does also apply to Splunk.

Please mark this as answered, because your initial question is answered - thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...