I am running Logstash as a service, but it doesn't collect the logs.
But when I run the bynary (bin/logstash -f test.conf) I collect the logs. And in the two cases I am using the same .conf file.
In other posts it is said I need to give Logstash permissions, but I've been unable to identify what files/folders have to be granted permission.
Could someone point that? Thanks in advance!
Assuming you're using the standard installation directories the user that Logstash runs as should have read/write access to /var/lib/logstash and /var/log/logstash. That's all it takes for Logstash to run properly, but obviously if you've configured it to read additional log files the same user needs read access to those too.
So, I had to put this aside for the last two weeks, but yesterday I came back to it and now it is working. All I had to do was add Logstash to adm group, as follows:
sudo usermod -a -G adm logstash
And then restart it
sudo service logstash restart
I am a newbie so I'm not sure if logstash should be automatically added to adm group at the installation or be granted with permissions that would allow it to read the logs.
In my case, all I wanted was to read apache logs. My input configuration was correct but wasn't working:
input {
file{
path => '/var/log/apache2/*'
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
type => "apache-access"
}
}
[...]
Now works.
Maybe this problem is related to this bug, which would be strange, since I using version 2.3 and the bug was fixed in version 1.5.
Anyway, here it is. I did this way, but I don't know if it is a good pratice to add Logstash to the adm group. If someone has a better solution, please, let me know so I can see how it works.
Thanks.
Adding Logstash to the adm group is typical to gain access to the log files.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.