Running ELK Services as Root

I am utilizing the full ELK stack in Linux including beats and logstash. I have found a few posts online that recommend not running these services as root such as this discussion post.

I tried to find some more information on this topic in the documentation without any luck. I can't find anything about setting up a new user specifically for running these ELK services or why I would want to do that.

Can someone explain to me why running these services as root is a bad idea or provide a resource for learning more on this topic?

Should I set up special users for each service that I want to run? if so, how do I need to set up the permissions & ownership of the config files, data files, logging files, … etc. for this special user that will be running each service?

The idea of not running as root is to ensure the principle of the least privilege in case a software gets hacked or exploited, so that the user does not own the whole system. It's basically one of many security layers when running services. Elasticsearch for example will exit, if you try to run it as root.

Setting up dedicated users for each service is a good idea. This is a common practice when installing distribution packages like debian or RPM packets. Elasticsearch's packages are doing that as part of their installation routine as well.

1 Like