Logstash: fixing permission denied errors

If you set up logstash to monitor /var/log, you may get errors like this:

{:timestamp=>"2015-12-21T17:21:42.809000+0000", :message=>"failed to open /var/log/auth.log: Permission denied - /var/log/auth.log", :level=>:warn}
{:timestamp=>"2015-12-21T17:21:42.828000+0000", :message=>"failed to open /var/log/kern.log: Permission denied - /var/log/kern.log", :level=>:warn}

Fortunately this is easy to fix – by default logstash creates it’s own user and group, and you can add it’s user to the group that owns these log files:

sudo usermod -a -G adm logstash 
sudo service logstash restart

Leave a Reply

Your email address will not be published.