Logstash 6.2 as root on OSX 10.12

Is it possible to run Logstash 6.2 as root on OSX 10.12? If it is, can somebody walk me thru that process?

I can run it successfully as a User, when that User is logged in. But I can't figure out how to install it as root, so that I don't need to stay logged in. (I'm using LingonX to handle my startup scripts.)

I've got a working ElasticSearch-Logstash-Kibana setup, on a mixed OSX/Ubuntu 14.04 network. I just updated to 6.2 today. I just started playing with MetricBeats, since Kibana tempted me as soon as I updated. Cool stuff, I'd like to put it on the Production server. But I'm having the same problem, I can't figure out how to run it as root. Next on my ToDo list is osquery, but I'd really like to figure this out first, before I start installing even more stuff on a dozen OSX boxes.

How set up a Logstash to run as a daemon on Mac OS X is really more of an OS X question.

I doubt Logstash has any problems running as root (but it's not recommended).

I know how to set up a LaunchDaemon on OSX, or at least I've managed to get other services to run at startup. But when I try to run Logstash as root, and then restart the server, the java service starts, runs for a couple minutes and then dies. I think it's something to do with permissions on a file somewhere. It feels like maybe the log files don't have the correct permissions, but I've played with moving the program files around, to /usr/local/ maybe...?, and setting permissions, and I'm not having any luck. And anyway, that's just a guess on my part.

I downloaded the zip from Elastic, and followed all of the instructions to install it on OSX. And it does work when run as a logged-in user, it sends the data off as expected.

My problem is, I've got a couple Servers running OSX 10.12 at the moment. I'm running Logstash on them to grab various logs for Elasticsearch ( which is running on an Ubuntu 14.04 box). The OSX servers will restart if we lose power, but as far as I know there is no way to automatically log in a User. Which means that if the power goes down for long enough and the battery backup dies, the machine will restart but I'm not logged in, so Logstash will NOT restart until I notice the problem. That could take anywhere from a few hours to a few days.

This isn't a huge emergency, I suppose, but it annoys me. One, I don't like losing data and Two, I'd rather not have to leave a user logged in on a Server, just to keep the logging running. I do understand the uneasiness about running as 'root'. I just don't know what is generally accepted as "best practice" these days.

And last, but not least, I'd like to get osquery running on the OSX workstations (and maybe metricbeats as well), and I'd like to have Logstash working everywhere before I attempt that.

Are there any clues in the Logstash log when it shuts down?

Not that I've noticed. I can try it again tomorrow and see if it shows anything at all.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.