kerem commented

Owner

Originally created by @GordonSasha on GitHub (Aug 26, 2021).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/97

Hi Thomas,
you are making a great job - thank you very much.
I have installed the version v1.0.0 on our device and now testing the
functionality of all the features under hardening. I am currently
investigating the syslog problem and cannot figure out
what is happening. I would be very grateful if you can help me with this.

Problem:

rsyslog imudp plugin can't create udp listener
/-----------------------------------------------------------------/
$ sudo systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-08-26 08:06:26 UTC; 8s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 3980 (rsyslogd)
Tasks: 4 (limit: 9281)
Memory: 1.0M
CGroup: /system.slice/rsyslog.service
└─3980 /usr/sbin/rsyslogd -n -iNONE

Aug 26 08:06:26 tfence-sideB systemd[1]: Started System Logging Service.
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: No UDP socket could successfully be initialized, some functionality may be disabled. [v8.2001>
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: Could not create udp listener, ignoring port 514 bind-address (null). [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: no listeners could be started, input not activated. [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: activation of module imudp failed [v8.2001.0 try https://www.rsyslog.com/e/-3 ]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's groupid changed to 110
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's userid changed to 104
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="3980" x-info="https://www.rsyslog.com">
/-----------------------------------------------------------------/

Testing configuration:

  Client1       |<========== Tested Device (tgate) ========>|            SRV

syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver
| 10.0.0.2 172.16.1.2 | 172.16.1.50
|-------------------------------------------|

Client1 $ logger --server 10.0.0.2 --udp --port 514 "$i) udp message from Client1";

Tested Device (tgate) config:
/etc/rsyslog.d/10-relay.conf :
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
$template msg_format, "%rawmsg%\n"
module(load="builtin:omfwd" Template="msg_format")
module(load="imudp")
input(type="imudp" port="514" device="eth0" ruleset="rs1")
Ruleset(name="rs1") {
action(type="omfwd" target="172.16.1.50" port="514" protocol="udp")
& stop
}
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
with tcpdump I see the packages are arriving to the "eht0":
$ sudo tcpdump -i eth0 -nn -v udp and port 514
but "eth1" does not received them:
$ sudo tcpdump -i eth1 -nn -v udp and port 514

Versions:
hardening: v1.0.0 downloaded 14 apr 2021
Tested Device (tgate) OS:
tgate :$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

rsyslog verion:
rsyslogd: version 8.2001.0

If you have any ideas, suggestions, or you know another way to solve the problem, I would love to hear them.
Thank you in advance

Originally created by @GordonSasha on GitHub (Aug 26, 2021). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/97 Hi Thomas, you are making a great job - thank you very much. I have installed the version v1.0.0 on our device and now testing the functionality of all the features under hardening. I am currently investigating the syslog problem and cannot figure out what is happening. I would be very grateful if you can help me with this. Problem: ======= rsyslog imudp plugin can't create udp listener /*-----------------------------------------------------------------*/ $ sudo systemctl status rsyslog.service ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-08-26 08:06:26 UTC; 8s ago TriggeredBy: ● syslog.socket Docs: man:rsyslogd(8) https://www.rsyslog.com/doc/ Main PID: 3980 (rsyslogd) Tasks: 4 (limit: 9281) Memory: 1.0M CGroup: /system.slice/rsyslog.service └─3980 /usr/sbin/rsyslogd -n -iNONE Aug 26 08:06:26 tfence-sideB systemd[1]: Started System Logging Service. Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0] Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0] Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: No UDP socket could successfully be initialized, some functionality may be disabled. [v8.2001> Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: Could not create udp listener, ignoring port 514 bind-address (null). [v8.2001.0] Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: no listeners could be started, input not activated. [v8.2001.0] Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: activation of module imudp failed [v8.2001.0 try https://www.rsyslog.com/e/-3 ] Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's groupid changed to 110 Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's userid changed to 104 Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="3980" x-info="https://www.rsyslog.com"> /*-----------------------------------------------------------------*/ Testing configuration: ====================== Client1 |<========== Tested Device (tgate) ========>| SRV syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver | 10.0.0.2 172.16.1.2 | 172.16.1.50 |-------------------------------------------| Client1 $ logger --server 10.0.0.2 --udp --port 514 "$i) udp message from Client1"; Tested Device (tgate) config: /etc/rsyslog.d/10-relay.conf : /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ $template msg_format, "%rawmsg%\n" module(load="builtin:omfwd" Template="msg_format") module(load="imudp") input(type="imudp" port="514" device="eth0" ruleset="rs1") Ruleset(name="rs1") { action(type="omfwd" target="172.16.1.50" port="514" protocol="udp") & stop } /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ with tcpdump I see the packages are arriving to the "eht0": $ sudo tcpdump -i eth0 -nn -v udp and port 514 but "eth1" does not received them: $ sudo tcpdump -i eth1 -nn -v udp and port 514 Versions: hardening: v1.0.0 downloaded 14 apr 2021 Tested Device (tgate) OS: tgate :$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.04 DISTRIB_CODENAME=focal DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS" rsyslog verion: rsyslogd: version 8.2001.0 If you have any ideas, suggestions, or you know another way to solve the problem, I would love to hear them. Thank you in advance

kerem

2026-03-03 13:58:42 +03:00

closed this issue
added the
Stale
label

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Aug 26, 2021):

If you can send a reply to mail: sasha.gordon@gmail.com I am very grateful

@GordonSasha commented on GitHub (Aug 26, 2021): If you can send a reply to mail: sasha.gordon@gmail.com I am very grateful

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@konstruktoid commented on GitHub (Aug 26, 2021):

Hi @GordonSasha, it seems to be a permission issue (create UDP socket bound to device failed: Operation not permitted, are you restarting the service using sudo?) but without additional logs I'll have a hard time helping out.

~$ lsb_release -d && logger --udp --server 10.7.8.48 "ISSUE97"
Description:    Ubuntu 20.04.3 LTS
~$ lsb_release -d && sudo grep ISSUE /var/log/syslog 
Description:    Ubuntu Impish Indri (development branch)
Aug 26 10:27:35 focal vagrant ISSUE97

Since you also working with routing etc syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver, this issue is out-of-scope for this project.

@konstruktoid commented on GitHub (Aug 26, 2021): Hi @GordonSasha, it seems to be a permission issue (`create UDP socket bound to device failed: Operation not permitted`, are you restarting the service using `sudo`?) but without additional logs I'll have a hard time helping out. ```sh ~$ lsb_release -d && logger --udp --server 10.7.8.48 "ISSUE97" Description: Ubuntu 20.04.3 LTS ~$ lsb_release -d && sudo grep ISSUE /var/log/syslog Description: Ubuntu Impish Indri (development branch) Aug 26 10:27:35 focal vagrant ISSUE97 ``` Since you also working with routing etc `syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver`, this issue is out-of-scope for this project.

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Aug 26, 2021):

In general, this can be referred to as routing log messages. But in fact rsyslog does not receive messages because it cannot load the plugin. I have attached the log file of a running rsyslog in the debug module. You can see the problem (line 2174 ...). The same configuration works correctly on the device without hardening, so I think one (or more) of the hardening steps affects rsyslog. Retranslating syslog messages are not uncommon. I sure, if you will want, you can simple repeir the problem.
If you need an additional information - let me know.
Big thanks
#~~~~~~~~~~~~~~~~ from line 2174
6849.677339702:main thread : ratelimit.c: ratelimit:imuxsock:new ratelimiter:bReduceRepeatMsgs 1
6849.677461450:main thread : errmsg.c: Called LogMsg, msg: cannot create '/run/systemd/journal/syslog'
6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).
6849.678023396:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imklog
6849.678070038:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imudp
6849.678087079:main thread : imudp.c: Trying to open syslog UDP ports at *:514.
6849.678430655:main thread : errmsg.c: Called LogMsg, msg: create UDP socket bound to device failed
6849.678449122:main thread : operatingstate.c: osf: MSG create UDP socket bound to device failed: rsyslogd: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Called LogMsg, msg: create UDP socket bound to device failed
#~~~~~~~~~~~~~~~
rsyslog_imudp.log

@GordonSasha commented on GitHub (Aug 26, 2021): In general, this can be referred to as routing log messages. But in fact rsyslog does not receive messages because it cannot load the plugin. I have attached the log file of a running rsyslog in the debug module. You can see the problem (line 2174 ...). The same configuration works correctly on the device without hardening, so I think one (or more) of the hardening steps affects rsyslog. Retranslating syslog messages are not uncommon. I sure, if you will want, you can simple repeir the problem. If you need an additional information - let me know. Big thanks #~~~~~~~~~~~~~~~~ from line 2174 6849.677339702:main thread : ratelimit.c: ratelimit:imuxsock:new ratelimiter:bReduceRepeatMsgs 1 6849.677461450:main thread : errmsg.c: Called LogMsg, msg: cannot create '/run/systemd/journal/syslog' 6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ] imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4). 6849.678023396:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imklog 6849.678070038:main thread : rsconf.c: pre priv drop activating config 0x56131e9b1fd0 for module imudp 6849.678087079:main thread : imudp.c: Trying to open syslog UDP ports at *:514. 6849.678430655:main thread : errmsg.c: Called LogMsg, msg: create UDP socket bound to device failed 6849.678449122:main thread : operatingstate.c: osf: MSG create UDP socket bound to device failed: rsyslogd: create UDP socket bound to device failed: Operation not permitted [v8.2001.0] Called LogMsg, msg: create UDP socket bound to device failed #~~~~~~~~~~~~~~~ [rsyslog_imudp.log](https://github.com/konstruktoid/hardening/files/7059342/rsyslog_imudp.log)

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@konstruktoid commented on GitHub (Aug 26, 2021):

6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ]
imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4).

Address already in use, is there another instance of rsyslog running on port 514 already?

@konstruktoid commented on GitHub (Aug 26, 2021): ```sh 6849.677473552:main thread : operatingstate.c: osf: MSG cannot create '/run/systemd/journal/syslog': rsyslogd: cannot create '/run/systemd/journal/syslog': Address already in use [v8.2001.0 try https://www.rsyslog.com/e/2176 ] imuxsock: Opened UNIX socket '/var/spool/postfix/dev/log' (fd 4). ``` `Address already in use`, is there another instance of `rsyslog` running on port 514 already?

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Aug 26, 2021):

No, anyone don't listen on the 514.

@GordonSasha commented on GitHub (Aug 26, 2021): No, anyone don't listen on the 514.

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Aug 26, 2021):

sudo netstat -tulpn | grep LISTEN
[sudo] password for tfence:
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 643/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 719/sshd: /usr/sbin
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1357/master
tcp 0 0 127.0.0.1:7883 0.0.0.0:* LISTEN 678/mosquitto
tcp6 0 0 :::22 :::* LISTEN 719/sshd: /usr/sbin
tcp6 0 0 ::1:25 :::* LISTEN 1357/master

@GordonSasha commented on GitHub (Aug 26, 2021): sudo netstat -tulpn | grep LISTEN [sudo] password for tfence: tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 643/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 719/sshd: /usr/sbin tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1357/master tcp 0 0 127.0.0.1:7883 0.0.0.0:* LISTEN 678/mosquitto tcp6 0 0 :::22 :::* LISTEN 719/sshd: /usr/sbin tcp6 0 0 ::1:25 :::* LISTEN 1357/master

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Aug 26, 2021):

netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 localhost:7883 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 172.16.1.52:ntp 0.0.0.0:*
udp 0 0 10.0.0.2:ntp 0.0.0.0:*
udp 0 0 localhost:ntp 0.0.0.0:*
udp 0 0 0.0.0.0:ntp 0.0.0.0:*
udp 0 0 10.0.0.255:51101 0.0.0.0:*
udp 0 0 10.0.0.255:51102 0.0.0.0:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
raw6 0 0 [::]:ipv6-icmp [::]:* 7
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] SEQPACKET LISTENING 18231 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 56071 /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 56076 /run/user/1000/bus
unix 2 [ ACC ] STREAM LISTENING 56077 /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 56078 /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 56079 /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 18213 @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 56080 /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 56081 /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 56082 /run/user/1000/pk-debconf-socket
unix 2 [ ACC ] STREAM LISTENING 28078 @usbguard@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
unix 2 [ ACC ] STREAM LISTENING 30817 public/pickup
unix 2 [ ACC ] STREAM LISTENING 30821 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 30824 public/qmgr
unix 2 [ ACC ] STREAM LISTENING 30828 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 30831 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 30834 private/bounce
unix 2 [ ACC ] STREAM LISTENING 30837 private/defer
unix 2 [ ACC ] STREAM LISTENING 30840 private/trace
unix 2 [ ACC ] STREAM LISTENING 30843 private/verify
unix 2 [ ACC ] STREAM LISTENING 30846 public/flush
unix 2 [ ACC ] STREAM LISTENING 30849 private/proxymap
unix 2 [ ACC ] STREAM LISTENING 30852 private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 30855 private/smtp
unix 2 [ ACC ] STREAM LISTENING 30858 private/relay
unix 2 [ ACC ] STREAM LISTENING 30861 public/showq
unix 2 [ ACC ] STREAM LISTENING 30864 private/error
unix 2 [ ACC ] STREAM LISTENING 30867 private/retry
unix 2 [ ACC ] STREAM LISTENING 30870 private/discard
unix 2 [ ACC ] STREAM LISTENING 30873 private/local
unix 2 [ ACC ] STREAM LISTENING 30876 private/virtual
unix 2 [ ACC ] STREAM LISTENING 30879 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 30882 private/anvil
unix 2 [ ACC ] STREAM LISTENING 30885 private/scache
unix 2 [ ACC ] STREAM LISTENING 30891 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 30894 private/uucp
unix 2 [ ACC ] STREAM LISTENING 30897 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 30900 private/bsmtp
unix 2 [ ACC ] STREAM LISTENING 30903 private/scalemail-backend
unix 2 [ ACC ] STREAM LISTENING 30906 private/mailman
unix 2 [ ACC ] STREAM LISTENING 18200 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 18202 /run/systemd/userdb/io.systemd.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 18211 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] SEQPACKET LISTENING 18216 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 18226 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 15634 /run/systemd/journal/io.systemd.journal
unix 2 [ ACC ] STREAM LISTENING 23484 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 23486 /run/uuidd/request

@GordonSasha commented on GitHub (Aug 26, 2021): netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.53:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 0 localhost:7883 0.0.0.0:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN udp 0 0 127.0.0.53:domain 0.0.0.0:* udp 0 0 172.16.1.52:ntp 0.0.0.0:* udp 0 0 10.0.0.2:ntp 0.0.0.0:* udp 0 0 localhost:ntp 0.0.0.0:* udp 0 0 0.0.0.0:ntp 0.0.0.0:* udp 0 0 10.0.0.255:51101 0.0.0.0:* udp 0 0 10.0.0.255:51102 0.0.0.0:* udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:* udp6 0 0 fe80::260:e9ff:fe2b:ntp [::]:* udp6 0 0 ip6-localhost:ntp [::]:* udp6 0 0 [::]:ntp [::]:* raw6 0 0 [::]:ipv6-icmp [::]:* 7 raw6 0 0 [::]:ipv6-icmp [::]:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] SEQPACKET LISTENING 18231 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 56071 /run/user/1000/systemd/private unix 2 [ ACC ] STREAM LISTENING 56076 /run/user/1000/bus unix 2 [ ACC ] STREAM LISTENING 56077 /run/user/1000/gnupg/S.dirmngr unix 2 [ ACC ] STREAM LISTENING 56078 /run/user/1000/gnupg/S.gpg-agent.browser unix 2 [ ACC ] STREAM LISTENING 56079 /run/user/1000/gnupg/S.gpg-agent.extra unix 2 [ ACC ] STREAM LISTENING 18213 @/org/kernel/linux/storage/multipathd unix 2 [ ACC ] STREAM LISTENING 56080 /run/user/1000/gnupg/S.gpg-agent.ssh unix 2 [ ACC ] STREAM LISTENING 56081 /run/user/1000/gnupg/S.gpg-agent unix 2 [ ACC ] STREAM LISTENING 56082 /run/user/1000/pk-debconf-socket unix 2 [ ACC ] STREAM LISTENING 28078 @usbguard@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ unix 2 [ ACC ] STREAM LISTENING 30817 public/pickup unix 2 [ ACC ] STREAM LISTENING 30821 public/cleanup unix 2 [ ACC ] STREAM LISTENING 30824 public/qmgr unix 2 [ ACC ] STREAM LISTENING 30828 private/tlsmgr unix 2 [ ACC ] STREAM LISTENING 30831 private/rewrite unix 2 [ ACC ] STREAM LISTENING 30834 private/bounce unix 2 [ ACC ] STREAM LISTENING 30837 private/defer unix 2 [ ACC ] STREAM LISTENING 30840 private/trace unix 2 [ ACC ] STREAM LISTENING 30843 private/verify unix 2 [ ACC ] STREAM LISTENING 30846 public/flush unix 2 [ ACC ] STREAM LISTENING 30849 private/proxymap unix 2 [ ACC ] STREAM LISTENING 30852 private/proxywrite unix 2 [ ACC ] STREAM LISTENING 30855 private/smtp unix 2 [ ACC ] STREAM LISTENING 30858 private/relay unix 2 [ ACC ] STREAM LISTENING 30861 public/showq unix 2 [ ACC ] STREAM LISTENING 30864 private/error unix 2 [ ACC ] STREAM LISTENING 30867 private/retry unix 2 [ ACC ] STREAM LISTENING 30870 private/discard unix 2 [ ACC ] STREAM LISTENING 30873 private/local unix 2 [ ACC ] STREAM LISTENING 30876 private/virtual unix 2 [ ACC ] STREAM LISTENING 30879 private/lmtp unix 2 [ ACC ] STREAM LISTENING 30882 private/anvil unix 2 [ ACC ] STREAM LISTENING 30885 private/scache unix 2 [ ACC ] STREAM LISTENING 30891 private/maildrop unix 2 [ ACC ] STREAM LISTENING 30894 private/uucp unix 2 [ ACC ] STREAM LISTENING 30897 private/ifmail unix 2 [ ACC ] STREAM LISTENING 30900 private/bsmtp unix 2 [ ACC ] STREAM LISTENING 30903 private/scalemail-backend unix 2 [ ACC ] STREAM LISTENING 30906 private/mailman unix 2 [ ACC ] STREAM LISTENING 18200 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 18202 /run/systemd/userdb/io.systemd.DynamicUser unix 2 [ ACC ] STREAM LISTENING 18211 /run/lvm/lvmpolld.socket unix 2 [ ACC ] SEQPACKET LISTENING 18216 /run/systemd/coredump unix 2 [ ACC ] STREAM LISTENING 18226 /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 15634 /run/systemd/journal/io.systemd.journal unix 2 [ ACC ] STREAM LISTENING 23484 /run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 23486 /run/uuidd/request

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@konstruktoid commented on GitHub (Aug 26, 2021):

Can you include you rsyslog configuration so I can test with an exact copy?

@konstruktoid commented on GitHub (Aug 26, 2021): Can you include you rsyslog configuration so I can test with an exact copy?

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 5, 2021):

Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance

@GordonSasha commented on GitHub (Sep 5, 2021): Sorry for the delay and silence. I was ill. At your request, [rsyslog_config.zip](https://github.com/konstruktoid/hardening/files/7111093/rsyslog_config.zip) sending you syslog configuration files Sorry again and thanks in advance

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@konstruktoid commented on GitHub (Sep 5, 2021):

No need to apologise, glad you've gotten better.

I'll have a look at the config as soon as possible.

@konstruktoid commented on GitHub (Sep 5, 2021): No need to apologise, glad you've gotten better. I'll have a look at the config as soon as possible.

kerem commented

2026-03-03 13:58:43 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 5, 2021):

Thanks a lot for your help. I opened additional bug about apt error. But
look like I know what's a problem. I can check it only at the Thursday. We
on holiday s vacation
Thanks

On Sun, Sep 5, 2021, 19:02 Thomas Sjögren @.***> wrote:

No need to apologise, glad you've gotten better.

I'll have a look at the config as soon as possible.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/konstruktoid/hardening/issues/97#issuecomment-913181195,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AVLNTJYBXM26HZYLIGRIZWLUAOH7VANCNFSM5C25PP5Q
.
Triage notifications on the go with GitHub Mobile for iOS
https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675
or Android
https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

@GordonSasha commented on GitHub (Sep 5, 2021): Thanks a lot for your help. I opened additional bug about apt error. But look like I know what's a problem. I can check it only at the Thursday. We on holiday s vacation Thanks On Sun, Sep 5, 2021, 19:02 Thomas Sjögren ***@***.***> wrote: > No need to apologise, glad you've gotten better. > > I'll have a look at the config as soon as possible. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/konstruktoid/hardening/issues/97#issuecomment-913181195>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AVLNTJYBXM26HZYLIGRIZWLUAOH7VANCNFSM5C25PP5Q> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > >

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@konstruktoid commented on GitHub (Sep 7, 2021):

Check the device setting on ther servers. That one of the reason that error occured.

I also tested and got it working with a rewritten config file.

@konstruktoid commented on GitHub (Sep 7, 2021): Check the `device` setting on ther servers. That one of the reason that error occured. I also tested and got it working with a rewritten config file. ![image](https://user-images.githubusercontent.com/7956715/132345628-5a3187c7-0f61-49df-a1e7-bc307af2ae61.png)

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 9, 2021):

Sorry for the delay and silence. I was ill.
At your request,
rsyslog_config.zip
sending you syslog configuration files
Sorry again and thanks in advance

@GordonSasha commented on GitHub (Sep 9, 2021): Sorry for the delay and silence. I was ill. At your request, [rsyslog_config.zip](https://github.com/konstruktoid/hardening/files/7111093/rsyslog_config.zip) sending you syslog configuration files Sorry again and thanks in advance

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 9, 2021):

Hi, I found when problem is appearing. One of the apparmor profiles prevent to create UDP socket of the rsyslog. It happend in f_aa_enforce() function.

@GordonSasha commented on GitHub (Sep 9, 2021): Hi, I found when problem is appearing. One of the apparmor profiles prevent to create UDP socket of the rsyslog. It happend in f_aa_enforce() function.

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 14, 2021):

the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd

@GordonSasha commented on GitHub (Sep 14, 2021): the solution is : echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@konstruktoid commented on GitHub (Sep 14, 2021):

the solution is :
echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd

great catch, i can add that check if you don't want to submit a PR.
pushing upstream?

@konstruktoid commented on GitHub (Sep 14, 2021): > the solution is : > echo "capability net_raw," > /etc/apparmor.d/local/usr.sbin.rsyslogd great catch, i can add that check if you don't want to submit a PR. pushing upstream?

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@GordonSasha commented on GitHub (Sep 14, 2021):

I think you can add it better than me.

@GordonSasha commented on GitHub (Sep 14, 2021): I think you can add it better than me.

kerem commented

2026-03-03 13:58:44 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Oct 15, 2021):

This issue is stale because it has been open 30 days with no activity, without any activity it will be closed in 5 days.

@github-actions[bot] commented on GitHub (Oct 15, 2021): This issue is stale because it has been open 30 days with no activity, without any activity it will be closed in 5 days.

kerem referenced this issue

2026-03-03 14:29:46 +03:00

[PR #51] [MERGED] Actiontesting #122

Rows
Columns

[GH-ISSUE #97] rsyslog : imudp: Could not create udp listener #49

Problem:

Testing configuration: