Running ELK Services as Root

6igwig · July 14, 2021, 1:58pm

I am utilizing the full ELK stack in Linux including beats and logstash. I have found a few posts online that recommend not running these services as root such as this discussion post.

I tried to find some more information on this topic in the documentation without any luck. I can't find anything about setting up a new user specifically for running these ELK services or why I would want to do that.

Can someone explain to me why running these services as root is a bad idea or provide a resource for learning more on this topic?

Should I set up special users for each service that I want to run? if so, how do I need to set up the permissions & ownership of the config files, data files, logging files, … etc. for this special user that will be running each service?

spinscale · July 15, 2021, 12:38pm

The idea of not running as root is to ensure the principle of the least privilege in case a software gets hacked or exploited, so that the user does not own the whole system. It's basically one of many security layers when running services. Elasticsearch for example will exit, if you try to run it as root.

Setting up dedicated users for each service is a good idea. This is a common practice when installing distribution packages like debian or RPM packets. Elasticsearch's packages are doing that as part of their installation routine as well.

Topic		Replies	Views
Can not run elasticsearch as root for elasticsearch 7.6.0 in linux Elasticsearch	5	1772	April 6, 2020
Why is it ElasticSearch is not allowed to run as root Elasticsearch	10	26738	July 5, 2017
Installation procedure of ES Elasticsearch	2	364	July 6, 2017
Elasticsearch Linux User Elasticsearch	6	1006	August 27, 2022
Elasticsearch 7.17.6 can't be started as root Elasticsearch	5	315	September 10, 2024

Running ELK Services as Root

Related topics