I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following:

  1. Using --add-cap=net_raw on the container
  2. Using --privileged flag on the container
  3. Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration

I keep getting the following error from the nxlog process inside the container.

nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted

Has anyone been able to get the om_udpspoof module to work inside of a docker container?

AskedJanuary 20, 2021 - 9:49pm

Answer (1)


Have you tried to set the capability on the binary? RUN setcap cap_net_raw+ep /opt/nxlog/bin/nxlog



Comments (1)

  • rp25818's picture

    This worked! I had to do this in the container and not in the host.

    Added to Dockerfile

    # Permit container to run raw sockets and bind to ports <= 1024
    RUN setcap 'cap_net_bind_service,cap_net_raw=+ep' /opt/nxlog/bin/nxlog

    Added to nxlog.conf file

    # Set Linux capabilities regarding raw sockets and binding below 1024
    Capabilities "cap_net_bind_service,cap_net_raw=+ep"