Plugin fails on Graylog 2.4.6 with the following error - noexec on /tmp results in fail to start Graylog (linux/unix only) #26
Comments
|
Please send more detailed logs and how this plugin is configured. What I have done
|
|
I placed the plugin in the requisite plugin directory "/usr/share/graylog/plugin/" errors on all attempts to insert are as below: com.google.common.util.concurrent.ExecutionError: java.lang.NoClassDefFoundError: Could not initialize class org.graylog2.syslog4j.Syslog |
|
On start of graylog the only entry related to this plugin is logged as such 2018-11-15T15:56:35.460Z INFO [CmdLineTool] Loaded plugin: SyslogOutputPlugin 1.0.0 [com.wizecore.graylog2.plugin.SyslogOutput] |
|
Tried UDP and IP of the host as well - no change in behavior We will try a non-privileged high port and report back |
|
no change with above 1024 port. Is there a class needed in the Java jar? NoClassDefFoundError |
|
Possibly, |
|
ok - any idea on how to proceed? graylog was installed via yum from the graylog repo Name : graylog-server [graylog] these are the files in the graylog.jar replated to syslog4j ./org/graylog2/syslog4j/impl/backlog/Syslog4jBackLogHandler.class |
|
Switch of Java didn't work Now: Oracle Corporation 1.8.0_191 on Linux 3.10.0-862.14.4.el7.x86_64 |
|
|
Centos 7.4 we may just have to do a full reinstall of everything :( |
|
what other plugins did you have installed? |
|
none - only the factory provided -rw-r--r-- 1 root root 20654 Jun 13 19:39 graylog-output-syslog-2.4.5.jar |
|
at a standstill as of now. Only option we have is reinstall everything from scratch and try again but it seems as if the tar package install versus the yum package install differs greatly in behavior once it is running I can turn on debug if it helps and see if anything else is created log wise but we are out of ideas |
|
the only deviation is the following which we thought to be benign that "could" be an issue rpm -Uvh https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm |
|
deep debug for the Win. The issue is related to system hardening and /tmp set to noexec Once this was backed off, the plugin started as expected. Maybe a note to add to the deployment as a caveat. |
|
Hmm, I wonder why system hardening might affect Syslog client initialization? Should not be the case as it might affect deployments to public clouds, etc. Thanks for reporting this anyway! |
|
I would suggest an option for the plugin that allows a custom 'tmp' directory to be configured so as not weaken the hardening config. The default drop point on UNIX for a lot of malware is /tmp and allow exec is bad. |
|
Completely agree that allowing exec is bad, but the plugin itself does not write nor exec some files. It seems like syslog4j does some initialization which involves /tmp folder access? Not sure. Could you please help me setting up environment so I reproduce it? Thanks! |
|
Closing this due to inactivity. It would be great to try to reproduce this problem with latest 3.3.x graylog. |
|
just reproduced on a fresh install with:
Elasticsearch runs fine with |
|
Unfortunately, because of org.graylog2.syslog4j package dependency on |
huksley
changed the title
plugin fails when assigned to a stream output on 2.4.6
com.google.common.util.concurrent.ExecutionError: java.lang.NoClassDefFoundError: Could not initialize class org.graylog2.syslog4j.Syslog at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2216) ~[graylog.jar:?]
We are using the jar: graylog-output-syslog-2.4.5.jar
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
Graylog 2.4.6
Any help is greatly appreciated
The text was updated successfully, but these errors were encountered: