I know how to set up a LaunchDaemon on OSX, or at least I've managed to get other services to run at startup. But when I try to run Logstash as root, and then restart the server, the java service starts, runs for a couple minutes and then dies. I think it's something to do with permissions on a file somewhere. It feels like maybe the log files don't have the correct permissions, but I've played with moving the program files around, to /usr/local/ maybe...?, and setting permissions, and I'm not having any luck. And anyway, that's just a guess on my part.
I downloaded the zip from Elastic, and followed all of the instructions to install it on OSX. And it does work when run as a logged-in user, it sends the data off as expected.
My problem is, I've got a couple Servers running OSX 10.12 at the moment. I'm running Logstash on them to grab various logs for Elasticsearch ( which is running on an Ubuntu 14.04 box). The OSX servers will restart if we lose power, but as far as I know there is no way to automatically log in a User. Which means that if the power goes down for long enough and the battery backup dies, the machine will restart but I'm not logged in, so Logstash will NOT restart until I notice the problem. That could take anywhere from a few hours to a few days.
This isn't a huge emergency, I suppose, but it annoys me. One, I don't like losing data and Two, I'd rather not have to leave a user logged in on a Server, just to keep the logging running. I do understand the uneasiness about running as 'root'. I just don't know what is generally accepted as "best practice" these days.
And last, but not least, I'd like to get osquery running on the OSX workstations (and maybe metricbeats as well), and I'd like to have Logstash working everywhere before I attempt that.