Logstash.conf.save permission denied

shookshank · March 1, 2017, 2:53pm

Full Error Message:

{:timestamp=>"2017-03-01T09:05:28.458000-0500", :message=>"The error reported is: \n  Permission denied - /etc/logstash/conf.d/logstash.conf.save"}

Config Contents:

logstash.conf:

input { syslog { port=>514} }
output { elasticsearch { host => localhost } }

logstash.conf.save:

input
{
 syslog
 {
  port => 514
  type => snort
 }
}

 filter {
 if [type] == "snort" {
  grok {
    match => [
      "message", "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:%{INT:ids_rev}\]\s+%{D$
    ]
  }
}
geoip {
  source => "[src_ip]"
  target => "SrcGeo"
}
geoip {
  source => "[dst_ip]"
  target => "DstGeo"
}
    if [priority] == "1" {
  mutate {
    add_field => { "severity" => "High" }
  }
}
if [priority] == "2" {
  mutate {
    add_field => { "severity" => "Medium" }
  }
}
if [priority] == "3" {
  mutate {
    add_field => { "severity" => "Low" }
  }
}
if [ids_proto] {
  if [ids_proto] =~ /^GPL/ {
    mutate {
      add_tag => [ "Snort-ET-sig" ]
      add_field => [ "ids_rule_type", "Emerging Threats" ]
    }
  }
  if [ids_proto] =~ /^ET/ {
    mutate {
      add_tag => [ "Snort-ET-sig" ]
      add_field => [ "ids_rule_type", "Emerging Threats" ]
    }
  }
  if "Snort-ET-sig" not in [tags] {
    mutate {
      add_tag => [ "Snort-sig" ]
      add_field => [ "ids_rule_type", "Snort" ]
    }
  }
}
if "Snort-sig" in [tags] {
  if [ids_gid] == "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
    }
  }
  if [ids_gid] != "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
    }
  }
  if [ids_gid] != "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour.com/snortsid?sid=%{ids_gid}-%{ids_sid}" ]
    }
  }
}
if "Snort-ET-sig" in [tags] {
  mutate {
    add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{ids_sid}" ]
  }
}
  }

output
{
 elasticsearch
 {
  host => localhost
 }
}

beats me why I have two configuration files as I only want the first basic one for testing. when i start the logstash service it runs for about 10 seconds before throwing the permsions error on the .save config file. Any information regarding this would be appreciated.

alexkru · March 1, 2017, 3:07pm

Try to check logstash.conf.save file permissions, the logstash user (or any other user that is running the logstash process) might not have permissions on this file if you created it as root or something else.

system · March 29, 2017, 3:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash can't read files ( Permission denied ) Logstash	6	23804	July 6, 2017
Permission denied in logstash? Logstash	3	2458	February 9, 2017
Logstash - File output error - permission denied Logstash	8	9567	April 29, 2019
Logstash exposure on port 12201 (gelf) permission denied Logstash	1	1082	October 17, 2019
Permission Denied Issue using Logstash Logstash	3	620	December 6, 2018

Logstash.conf.save permission denied

Related topics