Filebeat: permission denied

Hi all! Need your help in solving the problem:

Unexpected file opening error: 
"Failed opening /mnt/var/log/auth.log: open /mnt/var/log/auth.log: permission denied"

My environment:

  • docker-compose
  • filebeat:8.7.0
  • user and group of auth.log is syslog:adm

What have I already tried:

  • command: ["--strict.perms=false"]
  • "$ chown root:root filebeat.yml" + "$ chmod 755 filebeat.yml"
  • change image to filebeat:8.6.0

What is the permission on

ls -la /mnt/var/log

Specifically, we want to know the permissions and mode on the auth.log file and the containing directory /mnt/var/log

This probably not going to help.

Filebeat is complaining that it can't read the log file not about its own configuration.

Filebeat is going to need to be able to read the file and if it's not in the same user and group then it's going to need to be 644 mode at the least.

Perhaps share your compose file... It's most likely the log mount does not have the correct permissions.

Thanks for your reply! Unfortunately, at the moment I can't see the permissions on /mnt/var/log/auth.log. I'll add this information a little later. As for my configuration, you can see everything here GitHub - y34r-z3r0/elastic: Learning and testing elk-stack features

filebeat@filebeat:~$ ls -l /mnt/var/log/auth.log 
-rw-r----- 1 107 adm 55445 Apr 25 10:50 /mnt/var/log/auth.log

What is the best way to change the permissions for a file in a container?

Hi @y34rz3r0

This is more of a docker mount issue than filebeat issue.

Perhaps you should read a bit about permissions and volumes

If you think about it docker compose or filebeat can only read or access files that the user that's running it can.

Otherwise, it'd be a huge security hole to just be able to run a docker or filebeat and read any file that a user didn't have permission to read.

Here's an article that might help

Thank you! I'll take a look at the docs and post the solution as soon as I figure it out.

So, in this case, I decided to go the simplest way:

sudo chmod o+r /var/log/auth.log
(in the system, not in the container)

And it works :clinking_glasses:

I don’t know how correct this option is in terms of interfering with the security of the system, but the main thing for me now is that I can proceed to the next steps in learning ELK.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.