I have a Syslog-ng instance listening on udp/514. I wanted to enable another source on udp/515 so I can separate the log files as they are a distinctly different data set.

I configured the conf file with the following sources:

source syslog_source {
    syslog(ip(192.168.1.90) transport("udp") port(514));
};

source guest_traffic {
    syslog(ip(192.168.1.90) transport("udp") port(515));
};

And that worked fine when running syslog-ng interactively as root. When I tried to run it as a service using systemd tough, I received the following error:

Feb  5 15:55:54 elasticnodev01 systemd[1]: Starting System Logger Daemon...
Feb  5 15:55:54 elasticnodev01 syslog-ng[33961]: [2019-02-05T15:55:54.777994] Error binding socket; addr='AF_INET(192.168.1.90:515)', error='Permission denied (13)'
Feb  5 15:55:54 elasticnodev01 syslog-ng[33961]: [2019-02-05T15:55:54.778300] Error initializing message pipeline; plugin name='syslog', location='/etc/syslog-ng/conf.d/elasticstack.conf:24:5'

The reason being is that SELinux is blocking the non-standard port when it is launched by systemd. To check this, we can look at the /var/log/audit/audit.log file (requires root access).

# Check the SELinux log file for the port in question
$ sudo tail -n 500 /var/log/audit/audit.log | grep 515
.
.
type=AVC msg=audit(1549408488.504:128): avc:  denied  { name_bind } for  pid=2140 comm="syslog-ng" src=515 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
.
.

To fix this, we need semanage, which wasn't installed by default on my system (minimal CentOS 7 install). Thanks to this OSTechNix post I was able to find the package required to install SELinuix.

# Find the package the contains the semanage binary
$ yum whatprovides /usr/sbin/semanage

Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirror.aarnet.edu.au
 * epel: mirror.aarnet.edu.au
 * extras: mirror.aarnet.edu.au
 * updates: mirror.aarnet.edu.au
logstash-6.x                                                                 388/388
policycoreutils-python-2.5-29.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

policycoreutils-python-2.5-29.el7_6.1.x86_64 : SELinux policy core python utilities
Repo        : updates
Matched from:
Filename    : /usr/sbin/semanage

# Install the package
$ sudo yum install policycoreutils-python

Now that semanage is installed, we can confirm that udp/515 is not allowed, then add the port:

# List port records containing syslog
$ sudo semanage port --list | grep syslog

syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      514, 601, 20514

# Add the port to SELinux
$ sudo semanage port -a -t syslogd_port_t -p udp 515

# Confirm the port assignment worked
$ sudo semanage port -l | grep syslog

syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      515, 514, 601, 20514

# Start syslog-ng.service
$ sudo systemctl start syslog-ng

That should stop SELinux denying access to udp/515 (or whatever port you require).


By default, SELinux was set to enforcing on my install. This can be problematic for troubleshooting problems. To resolve issues relating to SELinux, it can be useful to set the mode to permissive, which will log any issues based on the policy, but not block them. To change the mode:

# Set mode to permissive
$ sudo setenforce permissive

# Set mode to enforcing
$ sudo setenforce enforcing

# To check the current mode
$ sudo getenforce

Note that these settings do not persist after a reboot. To change the setting permanently, edit the config file /etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 
Further Reading

CentOS Wiki HowTo on SELinux