I recently set up Logstash with Kibana and Elasticsearch, but am having a problem whereby it's not reading logs unless the directory permissions are world read/execute (and the files at least world read).
I've installed version 1.4.2 from the RPM, which runs as the logstash user. I've made sure the logstash user is a member of the groups relating to logs it needs to read, e.g. "apache".
[root@rhel-00081 conf]# id logstash
uid=497(logstash) gid=497(logstash) groups=48(apache),10081(nexus),27666(spark),497(logstash)
The default permission on /var/log/http is drwxr-x--- root apache
, yet Logstash will not process the logs until I change this to drwxr-xr-x
Any idea why this is?
Best Answer
Ok, I have discovered the problem. The init script supplied in the RPM starts logstash as follows:
But when running under the chroot command, all secondary group membership is removed unless you supply the --groups option. You can see this if you run:
Therefore the apache logs are unreadable...
The chroot line in the init script needs to be preceded with something like:
and then modify the beginning of the chroot line: