Hi experts,
I installed filebeat as root in my RedHat. We did using yum install filebeat-version.rpm. Now what happened is, when install, we did it as root user. I believe there is security risk by installing as root user. Should i uninstall the filebeat and install as tar or is there a way to change its ownership. Please advice which path should be changed. as i know for now we have /etc/filebeat and /usr/share/filebeat. What needs to be done. any other path i need to modify.
If you're using systemd, you can edit the service file (it should be /lib/systemd/system/filebeat.service) and add the user and group you want to use when running Filebeat. Add group and user under the service section, like this:
[Service]
User=filebeat-user
Group=filebeat-group
If you do that double check the logs when you start Filebeat to make sure it's not having any issues accessing its files (configuration file, registry, etc).
Another option is to uninstall the RPM package and use the TAR.GZ, but if you do this, then you will have to manage Filebeat's lifecycle.
Hi if we change systemd, even the files is root, it will start the service as dedicate user? So if there is issue like attacker cant use root user though the file is root, but the program was running as other user. Do I need change ownership of files in
/etc/filebeat
/usr/share/filebeat
/var/lib/filebeat
is there any other locations?
You don't need to change ownership of the files, the process will run as the configured user and will only have the permissions of that user.
If you thing about it on Linux all files under folders like /bin, /usr/bin etc are owned by root, but any user can execute them and the spawned process will only have the permissions of the user executing it.
what i did i change all ownership to the new user id. but look weird as logs not beiing sent to logstash. even registry is remaining the same. any idea how i can troubleshoot this
You can look at Filebeat's logs, look for messages on warning and error levels. Also during startup Filebeat prints the folders it is using for logs, registry, etc. Make sure Filebeat has got the correct access to those folders.
You can also run ./filebeat test output to test the connection from Filebeat to the selected output, logstash in your case.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.