Running journalbeat as non-privileged user

Hi all - I am sharing this for anyone else interested in running journalbeat as a non-root user. I'm grateful for the attention to security of the elasticsearch team but I think the solar winds compromise is making us all a bit jumpy :).

I'm running journalbeat via the apt package and systemd.

  1. Create a journalbeat user: adduser --system --home /var/lib/journalbeat/ journalbeat
  2. Create a systemd journalbeat service override directory: mkdir /etc/systemd/system/journalbeat.service.d
  3. Add a systemd override file to run the service as the journalbeat user with group perms allowing it to read the journal logs: printf "[Service]\nUser=journalbeat\nGroup=systemd-journal\n" > /etc/systemd/system/journalbeat.service.d/user.conf
  4. Reload systemd to read the new file: systemctl daemon-reload
  5. Make your journalbeat config file readable by all users so the journalbeat user can read it: chmod 644 /etc/journalbeat/journalbeat.yml (I'm assuming your passwords are in your keystore so there is nothing sensitive about this file)
  6. Stop journalbeat service: systemctl stop journalbeat
  7. Change ownership of all files in /var/lib/journalbeat: chown -R journalbeat /var/lib/journalbeat
  8. Start journalbeat: systemctl start journalbeat

I'm also wondering if there is a reason the apt package runs as root instead of taking these steps to run as a non-priviged user?