I am running logstash as a service by modifying /etc/systemd/system/logstash.service with:
ExecStart=/usr/share/logstash/bin/logstash -f /usr/share/logstash/config/logstash.conf --config.reload.automatic
Nothing is being read from the log /var/log/audit/audit.log
But, if i run the same command myself in terminal:
sudo /usr/share/logstash/bin/logstash -f /usr/share/logstash/config/logstash.conf --config.reload.automatic
It works fine? This is not ideal, i need it running as a service with my custom config file.
Rios
July 25, 2024, 10:14am
2
In your case, LS as a service is run under logstash user which in the most cases means doesn't have right to read /var/log/audit/audit.log
When you run as a command, it will run as root user. So for that particular case you can, start LS service as root or try to use Auditbeat
Oh I’m so dumb, I literally just noticed it sets the user to logstash in the config.
Thanks for the fast response. That actually would help with other logs it reads where I change the owner to logstash instead of root