In the file output we can specify a permission string for the files. I use auditbeat and although I set the string to "0644". The created file is still "0600" when I "ls" this. file, ive not be able to change this ive tried deleting the file and then recreating etc. I was going to create an issue on github, but put this here first to see if anyone has any ideas
Ive played about some more and I can get it change with different values. I thought it could be a umask so tried 0000, 000, 0022 and 022 , but those resulted in a file with no values set
0600 is the default configuration for permission. So probably there is a problem in your configuration.
Could you please share it and format is using </>?
I think ive figured it out '0600' works as does '0640', this is due the libbeats having a hardcoded umask of 0027 which means at most a file created can be '0640' nothing more.
I think i could recompile auditbeat to fix this, but for now I changed my systemd service to run in same group as my rsyslog user (syslog) and then set the value to "0640"