Filebeat: permission denied

y34rz3r0 · April 23, 2023, 9:05pm

Hi all! Need your help in solving the problem:

Unexpected file opening error: 
"Failed opening /mnt/var/log/auth.log: open /mnt/var/log/auth.log: permission denied"

My environment:

docker-compose
filebeat:8.7.0
user and group of auth.log is syslog:adm

What have I already tried:

command: ["--strict.perms=false"]
"$ chown root:root filebeat.yml" + "$ chmod 755 filebeat.yml"
change image to filebeat:8.6.0

stephenb · April 23, 2023, 10:01pm

What is the permission on

ls -la /mnt/var/log

Specifically, we want to know the permissions and mode on the auth.log file and the containing directory /mnt/var/log

This probably not going to help.

Filebeat is complaining that it can't read the log file not about its own configuration.

Filebeat is going to need to be able to read the file and if it's not in the same user and group then it's going to need to be 644 mode at the least.

Perhaps share your compose file... It's most likely the log mount does not have the correct permissions.

y34rz3r0 · April 24, 2023, 10:25pm

Thanks for your reply! Unfortunately, at the moment I can't see the permissions on /mnt/var/log/auth.log. I'll add this information a little later. As for my configuration, you can see everything here GitHub - y34r-z3r0/elastic: Learning and testing elk-stack features

y34rz3r0 · April 25, 2023, 10:54am

filebeat@filebeat:~$ ls -l /mnt/var/log/auth.log 
-rw-r----- 1 107 adm 55445 Apr 25 10:50 /mnt/var/log/auth.log

What is the best way to change the permissions for a file in a container?

stephenb · April 25, 2023, 12:29pm

Hi @y34rz3r0

This is more of a docker mount issue than filebeat issue.

Perhaps you should read a bit about permissions and volumes

If you think about it docker compose or filebeat can only read or access files that the user that's running it can.

Otherwise, it'd be a huge security hole to just be able to run a docker or filebeat and read any file that a user didn't have permission to read.

Here's an article that might help

y34rz3r0 · April 25, 2023, 4:23pm

Thank you! I'll take a look at the docs and post the solution as soon as I figure it out.

y34rz3r0 · May 2, 2023, 4:33pm

So, in this case, I decided to go the simplest way:

sudo chmod o+r /var/log/auth.log
(in the system, not in the container)

And it works

I don’t know how correct this option is in terms of interfering with the security of the system, but the main thing for me now is that I can proceed to the next steps in learning ELK.

system · May 30, 2023, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exiting: error loading config file: open filebeat.yml: permission denied Beats filebeat	2	3473	July 30, 2020
Trying to start filebeat from container Beats docker , filebeat	6	4777	March 24, 2020
Filebeat.yml: permission denied while runing in docker Beats docker	3	1920	December 16, 2019
Filebeat output file permission Beats filebeat	4	753	October 12, 2020
Filebeat unable to access logs under “/var/lib/docker/containers” path due to "Permission Denied" issue Beats filebeat	1	887	June 25, 2020

Filebeat: permission denied

Related topics