Logstash.conf.save permission denied

Elastic Stack Logstash
1

Full Error Message:

{:timestamp=>"2017-03-01T09:05:28.458000-0500", :message=>"The error reported is: \n  Permission denied - /etc/logstash/conf.d/logstash.conf.save"}

Config Contents:

logstash.conf:

input { syslog { port=>514} }
output { elasticsearch { host => localhost } }

logstash.conf.save:

input
{
 syslog
 {
  port => 514
  type => snort
 }
}

 filter {
 if [type] == "snort" {
  grok {
    match => [
      "message", "%{MONTHNUM:month}\/%{MONTHDAY:day}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}\s+\[\*\*\]\s+\[%{INT:ids_gid}\:%{INT:ids_sid}\:%{INT:ids_rev}\]\s+%{D$
    ]
  }
}
geoip {
  source => "[src_ip]"
  target => "SrcGeo"
}
geoip {
  source => "[dst_ip]"
  target => "DstGeo"
}
    if [priority] == "1" {
  mutate {
    add_field => { "severity" => "High" }
  }
}
if [priority] == "2" {
  mutate {
    add_field => { "severity" => "Medium" }
  }
}
if [priority] == "3" {
  mutate {
    add_field => { "severity" => "Low" }
  }
}
if [ids_proto] {
  if [ids_proto] =~ /^GPL/ {
    mutate {
      add_tag => [ "Snort-ET-sig" ]
      add_field => [ "ids_rule_type", "Emerging Threats" ]
    }
  }
  if [ids_proto] =~ /^ET/ {
    mutate {
      add_tag => [ "Snort-ET-sig" ]
      add_field => [ "ids_rule_type", "Emerging Threats" ]
    }
  }
  if "Snort-ET-sig" not in [tags] {
    mutate {
      add_tag => [ "Snort-sig" ]
      add_field => [ "ids_rule_type", "Snort" ]
    }
  }
}
if "Snort-sig" in [tags] {
  if [ids_gid] == "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
    }
  }
  if [ids_gid] != "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour/.com/snortsid?sid=%{ids_sid}" ]
    }
  }
  if [ids_gid] != "1" {
    mutate {
      add_field => [ "Signature_Info", "http://rootedyour.com/snortsid?sid=%{ids_gid}-%{ids_sid}" ]
    }
  }
}
if "Snort-ET-sig" in [tags] {
  mutate {
    add_field => [ "Signature_Info", "http://doc.emergingthreats.net/bin/view/Main/%{ids_sid}" ]
  }
}
  }

output
{
 elasticsearch
 {
  host => localhost
 }
}

beats me why I have two configuration files as I only want the first basic one for testing. when i start the logstash service it runs for about 10 seconds before throwing the permsions error on the .save config file. Any information regarding this would be appreciated.

2

Try to check logstash.conf.save file permissions, the logstash user (or any other user that is running the logstash process) might not have permissions on this file if you created it as root or something else.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.