Skip to main content
Skip table of contents

Run a .NET 8 Linux System Monitor with Non-Root Privileges

This guide outlines the process of running a Linux System Monitor Agent without root privileges.

Prerequisites

There is no .NET Runtime installation required when running a System Monitor Agent with non-root privileges; the agent is self-contained and includes all necessary .NET dependencies.

Run a Linux System Monitor Agent with Non-Root Privileges

  1. Create a non-root user (for example, “logrhythm”) with login privileges, if necessary:

CODE 
sudo useradd -r -s /bin/false -d /opt/logrhythm/scsm logrhythm

  1. Set ownership of the agent installation directory:

CODE 
sudo chown -R logrhythm:logrhythm /opt/logrhythm/scsm

  1. Edit the systemd service file to run as the non-root user located at /etc/systemd/system/scsm.service. Update the User line in the [Service] section:

CODE 
user=logrhythm

Optionally, you can also specify a group:

CODE 
Group=logrhythm

  1. Ensure the non-root user has execute permissions on the agent binary:

CODE 
sudo chmod +x /opt/logrhythm/scsm/bin/scsmlsvc

  1. Add the following to the PATH environment variable by adding it to the [Service] section of the service located at /etc/systemd/system/scsm.service:

CODE 
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  1. If the agent needs to bind to privileged ports (< 1024), grant the CAP_NET_BIND_SERVICE capability:

CODE 
sudo setcap 'cap_net_bind_service=+ep' /opt/logrhythm/scsm/bin/scsmlsvc

  1. Reload systemd and manage the agent service:

CODE 
sudo systemctl daemon-reload
CODE 
sudo systemctl enable scsm

Syslog Server Configuration

If running the syslog server component as non-root, you have two options:

Option A

Change the syslog port to a value greater than 1024 in the config/scsm.ini file. Ports below 1024 are privileged and normally require root access.

Option B

Keep the default port (514 UDP/TCP) and grant the CAP_NET_BIND_SERVICE capability to the agent binary (as shown in step 6 above).

If the agent runs as non-root with a port below 1024 and without the proper capability, warnings will be logged indicating the syslog server cannot start unless the port is changed to ≥ 1024 or the capability is granted.

Some devices sending syslog data may not support configurable destination ports. If they do not allow the destination port to be configured, you must either:

  • Use Option B above (grant CAP_NET_BIND_SERVICE capability), or

  • Configure firewall rules or port forwarding to redirect port 514 to a higher port.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close