Logstash parsing only if run as root

rwagner · September 20, 2016, 5:09pm

Hi guys, my logstash parsing logs only if run as root.
Follow the video link showing the problem.

Logstash version:

yum list installed | grep logstash
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
logstash.noarch 1:2.4.0-1 @logstash-2.4

Logstash.conf:

 input {
  file {
    type => "ossec-alerts"
    path => "/var/ossec/logs/alerts/alerts.json"
    codec => "json"
    tags => ['alerts']
}
  tcp {
    port => "5007"
    tags => [ "teste" ]
  }

filter {
    date {
        match => ["timestamp", "YYYY MMM dd HH:mm:ss"]
        target => "@timestamp"
    }
    mutate {
      convert => [ "[geoip][location]", "float"]
      rename => [ "hostname", "AgentName" ]
      rename => [ "_index", "indice" ]
      rename => [ "geoip", "GeoLocation" ]
      rename => [ "file", "AlertsFile" ]
      rename => [ "agentip", "AgentIP" ]
      rename => [ "[rule][comment]", "[rule][description]" ]
      rename => [ "[rule][level]", "[rule][AlertLevel]" ]
      remove_field => [ "timestamp", "_score", "[decoder][parent]" ]
    }
}

output {

 elasticsearch {
  hosts => "127.0.0.1:9200"
  index => "ossec-%{+YYYY.MM.dd}"
 }
}

Anyone can help?

magnusbaeck · September 20, 2016, 5:19pm

Presumably the user that Logstash otherwise runs as doesn't have permissions to read /var/ossec/logs/alerts/alerts.json.

rwagner · September 20, 2016, 5:37pm

Hy magnus!

I had added Read permission to "others" but had not worked.

ls -la /var/ossec/logs/alerts/alerts.json
-rw-r--r-- 2 ossec ossec 174416 Set 20 14:31 /var/ossec/logs/alerts/alerts.json

Then I added the logstash user to the file server group and it worked.

Thanks for the light!

magnusbaeck · September 20, 2016, 5:40pm

The file itself must of course be readable to the logstash user but additionally all directories leading up to the file must be executable.