Logstash parsing only if run as root

Hi guys, my logstash parsing logs only if run as root.
Follow the video link showing the problem.

Logstash version:

yum list installed | grep logstash
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
logstash.noarch 1:2.4.0-1 @logstash-2.4

Logstash.conf:

 input {
  file {
    type => "ossec-alerts"
    path => "/var/ossec/logs/alerts/alerts.json"
    codec => "json"
    tags => ['alerts']
}
  tcp {
    port => "5007"
    tags => [ "teste" ]
  }

filter {
    date {
        match => ["timestamp", "YYYY MMM dd HH:mm:ss"]
        target => "@timestamp"
    }
    mutate {
      convert => [ "[geoip][location]", "float"]
      rename => [ "hostname", "AgentName" ]
      rename => [ "_index", "indice" ]
      rename => [ "geoip", "GeoLocation" ]
      rename => [ "file", "AlertsFile" ]
      rename => [ "agentip", "AgentIP" ]
      rename => [ "[rule][comment]", "[rule][description]" ]
      rename => [ "[rule][level]", "[rule][AlertLevel]" ]
      remove_field => [ "timestamp", "_score", "[decoder][parent]" ]
    }
}

output {

 elasticsearch {
  hosts => "127.0.0.1:9200"
  index => "ossec-%{+YYYY.MM.dd}"
 }
}

Anyone can help?

Presumably the user that Logstash otherwise runs as doesn't have permissions to read /var/ossec/logs/alerts/alerts.json.

Hy magnus!

I had added Read permission to "others" but had not worked.

ls -la /var/ossec/logs/alerts/alerts.json
-rw-r--r-- 2 ossec ossec 174416 Set 20 14:31 /var/ossec/logs/alerts/alerts.json

Then I added the logstash user to the file server group and it worked.

Thanks for the light!

The file itself must of course be readable to the logstash user but additionally all directories leading up to the file must be executable.