I've installed filebeat in an Amazon Linux and changed the /etc/init.d/filebeat to run as a non root user called "filebeat-usr". I also changed ownership of all filebeat files to "filebeat-usr".
When I do sudo su filebeat-usr and then "filebeat -e", filebeat sends data to my ElasticSearch cluster successfully. But when I run sudo service filebeat start from a sudoer user, the service starts up nice, but it's not able to send nothing to ElasticSearch.
I was having this problem: " ERROR log/input.go:209 input state for /home/someuser/applog.log was not removed: stat /home/someuser/applog.log: permission denied". Which is weird, because I was able to run stat on this file while logged as filebeat-usr. Anyway, I removed the registry file in /var/lib/ and this error message is not appearing anymore, unfortunately no data is coming to ES cluster.
Does any one knows what it could be?