Logstash(5.4.3) fails to transfer logs even when logstash starts as a service

Hi Everyone,

In my scenario, I installed logstash using yum. The logstash version is 5.4.3. I am sending /var/log/messages to a file(output.txt) which is present on same system.
Operating System - Centos

Below is the logstash.conf file which is present in the path (/etc/logstash/conf.d/logstash.conf)
input {
file {
path => "/var/log/messages"
start_position => "beginning"
ignore_older => 0
}
}
output {
file {
path => "/root/output.txt"
}
}

When I am starting logstash as a service using command #systemctl restart logstash.service, the service gets started but logs are not transferred to output.txt file.
Opening the (/var/log/logstash/logstash-plain.log), i found that it says "permission error"

[2018-05-01T11:59:13,922][WARN ][logstash.runner ] SIGTERM received. Shutting down the agent.
[2018-05-01T11:59:13,928][WARN ][logstash.agent ] stopping pipeline {:id=>"main"}
[2018-05-01T11:59:44,665][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>125}
[2018-05-01T11:59:44,916][WARN ][logstash.inputs.file ] failed to open /var/log/messages: Permission denied - /var/log/messages
[2018-05-01T11:59:44,944][INFO ][logstash.pipeline ] Pipeline main started
[2018-05-01T11:59:45,013][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-05-01T12:04:45,298][WARN ][logstash.inputs.file ] failed to open /var/log/messages: Permission denied - /var/log/messages
[2018-05-01T12:09:46,658][WARN ][logstash.inputs.file ] failed to open /var/log/messages: Permission denied - /var/log/messages
[2018-05-01T12:14:47,998][WARN ][logstash.inputs.file ] failed to open /var/log/messages: Permission denied - /var/log/messages

Please help me to solve this issue.

Thanks
Nikhil Kapoor

The user that Logstash runs as ("logstash", probably) obviously doesn't have permissions to read /var/log/messages. What are the permissions of that file? For completeness, the permissions of /var and /var/log should also be considered.

Thanks for the reply @magnusbaeck

Changed few things in the /etc/systemd/system/logstash.service file
User=logstash
Group=logstash

to

User=root
Group=root

Use the command #systemctl daemon-reload and then restarted the logstash service.
It worked.

What are the permissions of that file?
-rw-------. 1 root root 161545 May 1 13:04 messages

Thanks
Nikhil Kapoor

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.