Analytics and clickthrough not available due to permission issues

I have enterprise-search running as a service - which means that I have changed ownership of its logs to the enterprise-search user (otherwise it crashes on startup)

For some reason however, it doesn't show any query statistics, API logs or click-throughs. If I stop the service and start it manually as sudo, then all is fine so I'm guessing this is some sort of permission issue.

Which user should the logs belong to?


Do you see any errors in the application logs? Especially around startup, searching, or viewing the analytics UI. Maybe take a peak at the Elasticsearch logs too just in case there exists a running user permissions issue there too.

Without knowing much more, my best guess would be that some log files have incorrect permissions, especially because you observe it working correctly when run with sudo. If nothing else, I'd recommend a fresh install, taking care to start Enterprise Search for the first time with the correct enterprise-search system user.

I hope that helps.


Hi @ross.bell , thanks for the response. I can't see any errors in either of the logs. However, looking at the filebeat log, it seems it's only running when I start enterprise search as sudo. No errors here, either.

I would avoid running your Enterprise Search deploy as any user other than the enterprise-search user you reference. It sounds like your deploy may be in a state where it does not have appropriate permissions to the files it needs, and the easiest resolution would be to install a fresh instance.

It is being deployed and run with the enterprise-search user. All deployment instructions are being followed. If I were to redeploy, I would just arrive to the same conclusion.

In fact, I have redeployed but my second server behaves the same.

I suspect this is because the original deployment instructions only take you as far as starting up the process using

ENT_SEARCH_DEFAULT_PASSWORD=[default_pwd] /usr/share/enterprise-search/bin/enterprise-search

But not as a service. If started as a service, it doesn't have access to its logs, so I changed the owners of all enterprise-search log files to be the enterprise-search user. Could this have caused the issue? Or could it be that i have in fact started the process for the first time using sudo (which would be very odd)

In the end, I did re-install it and tried to follow the installation instructions as-is - without using sudo to try and start the process for the first time. As can be seen in the post above.

However, this doesn't work: the process will not have access to its configuration file, running as the local user. Running as sudo -u enterprise-search doesn't work either. In the end, I had to change the owner of

  • /usr/share/enterprise-search/tmp
  • /usr/share/enterprise-search/filebeat/data

to enterprise-search - which has finally resolved the issue.