Changing ownership of filebeat installtion from root

Hi experts,

I installed filebeat as root in my RedHat. We did using yum install filebeat-version.rpm. Now what happened is, when install, we did it as root user. I believe there is security risk by installing as root user. Should i uninstall the filebeat and install as tar or is there a way to change its ownership. Please advice which path should be changed. as i know for now we have /etc/filebeat and /usr/share/filebeat. What needs to be done. any other path i need to modify.

If you're using systemd, you can edit the service file (it should be /lib/systemd/system/filebeat.service) and add the user and group you want to use when running Filebeat. Add group and user under the service section, like this:

[Service]
User=filebeat-user
Group=filebeat-group

If you do that double check the logs when you start Filebeat to make sure it's not having any issues accessing its files (configuration file, registry, etc).

Another option is to uninstall the RPM package and use the TAR.GZ, but if you do this, then you will have to manage Filebeat's lifecycle.

Hi if we change systemd, even the files is root, it will start the service as dedicate user? So if there is issue like attacker cant use root user though the file is root, but the program was running as other user. Do I need change ownership of files in

/etc/filebeat
/usr/share/filebeat
/var/lib/filebeat

is there any other locations?

You don't need to change ownership of the files, the process will run as the configured user and will only have the permissions of that user.

If you thing about it on Linux all files under folders like /bin, /usr/bin etc are owned by root, but any user can execute them and the spawned process will only have the permissions of the user executing it.