In the file output we can specify a permission string for the files. I use auditbeat and although I set the string to "0644". The created file is still "0600" when I "ls" this. file, ive not be able to change this ive tried deleting the file and then recreating etc. I was going to create an issue on github, but put this here first to see if anyone has any ideas
Ive played about some more and I can get it change with different values. I thought it could be a umask so tried 0000, 000, 0022 and 022 , but those resulted in a file with no values set
0600 is the default configuration for permission. So probably there is a problem in your configuration.
Could you please share it and format is using </>?
I think ive figured it out '0600' works as does '0640', this is due the libbeats having a hardcoded umask of 0027 which means at most a file created can be '0640' nothing more.
I think i could recompile auditbeat to fix this, but for now I changed my systemd service to run in same group as my rsyslog user (syslog) and then set the value to "0640"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.