Filebeat: permission denied

y34rz3r0 · April 23, 2023, 9:05pm

Hi all! Need your help in solving the problem:

Unexpected file opening error: 
"Failed opening /mnt/var/log/auth.log: open /mnt/var/log/auth.log: permission denied"

My environment:

docker-compose
filebeat:8.7.0
user and group of auth.log is syslog:adm

What have I already tried:

command: ["--strict.perms=false"]
"$ chown root:root filebeat.yml" + "$ chmod 755 filebeat.yml"
change image to filebeat:8.6.0

stephenb · April 23, 2023, 10:01pm

What is the permission on

ls -la /mnt/var/log

Specifically, we want to know the permissions and mode on the auth.log file and the containing directory /mnt/var/log

This probably not going to help.

Filebeat is complaining that it can't read the log file not about its own configuration.

Filebeat is going to need to be able to read the file and if it's not in the same user and group then it's going to need to be 644 mode at the least.

Perhaps share your compose file... It's most likely the log mount does not have the correct permissions.

y34rz3r0 · April 24, 2023, 10:25pm

Thanks for your reply! Unfortunately, at the moment I can't see the permissions on /mnt/var/log/auth.log. I'll add this information a little later. As for my configuration, you can see everything here GitHub - y34r-z3r0/elastic: Learning and testing elk-stack features

y34rz3r0 · April 25, 2023, 10:54am

filebeat@filebeat:~$ ls -l /mnt/var/log/auth.log 
-rw-r----- 1 107 adm 55445 Apr 25 10:50 /mnt/var/log/auth.log

What is the best way to change the permissions for a file in a container?

stephenb · April 25, 2023, 12:29pm

Hi @y34rz3r0

This is more of a docker mount issue than filebeat issue.

Perhaps you should read a bit about permissions and volumes

If you think about it docker compose or filebeat can only read or access files that the user that's running it can.

Otherwise, it'd be a huge security hole to just be able to run a docker or filebeat and read any file that a user didn't have permission to read.

Here's an article that might help

y34rz3r0 · April 25, 2023, 4:23pm

Thank you! I'll take a look at the docs and post the solution as soon as I figure it out.

y34rz3r0 · May 2, 2023, 4:33pm

So, in this case, I decided to go the simplest way:

sudo chmod o+r /var/log/auth.log
(in the system, not in the container)

And it works

I don’t know how correct this option is in terms of interfering with the security of the system, but the main thing for me now is that I can proceed to the next steps in learning ELK.

system · May 30, 2023, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exiting: error loading config file: open filebeat.yml: permission denied Beats filebeat	2	3458	July 30, 2020
Volume mapped filebeat.yml permissions from Docker on Windows host Beats filebeat	4	15739	August 2, 2017
Filebeat configuration file permission Beats filebeat	2	1753	November 9, 2018
Custom filebeat docker image error Beats docker , filebeat	2	507	October 13, 2023
Nginx module is trying to parsing each log entry as access and error log Beats beats-module , filebeat	9	1852	September 9, 2019

Filebeat: permission denied

Related Topics