#logstash

adm:x:4:ubuntu,logstash

if you see it in the group I'd try a su logstash and then actually browse to that folder and verify it can open files

yeah, what shimmyt said :)

shimmyt: yep, logstash user can read files

the process is definitiely running with user "logstash" which is definitely in the adm group

reboot?

wouldn't hurt

Is there a way to re-download the logstash book?

reboot = no difference

hmmm

and you can read it with the logstash user

shimmyt: i can

shimmyt: http://d.pr/i/rkwz its running as logstash

Title: Droplr Screenshot on 2013-07-31 at 12.50.43.png (at d.pr)

and logstash can read it

but, when I restart, it fills up the logs with "nope, cant read this"

savant: help :(

hi

whats up

philsturgeon: try setfacl, and getfacl =) that works for me

philsturgeon: after you take a look at rap424's options also check this out: http://comments.gmane.org/gmane.comp.sysutils.l...

Title: logstash-users () (at comments.gmane.org)

savant: logstash is part of the adm group, and the files are adm only, but when i run the logstash agent it puts warnings in the logs saying it cant read em

adm:adm?

philsturgeon: what are the permissions on the parent directory?

savant: the syslog is -rw-r----- 1 syslog adm

sagarv: some others are www-data adm

rap424: /var/log is drwxr-xr-x 17 root root 4.0K Jul 31 16:44 .

rap424: getfacl looks right http://d.pr/i/DmE7

Title: Droplr Screenshot on 2013-07-31 at 13.01.49.png (at d.pr)

so the group is the right one

what happens if you change the user to adm

philsturgeon: I usually just "setfacl -m g:logstash:r" on the file, which says give the logstash group read permissions

rap424: ahh so instead of adding logstash to the adm group and letting that do the work, i should set this on each of the logs i want it to read?

philsturgeon: correct, and setting any parent directories "setfacl -m g:logstash:rx" this worked for me when I had this problem

philsturgeon: but doing the above shouldn't be necessary on just /var/log

rap424: thats really tough to work in with my chef setup. it makes me sad that even though logstash is in the right group its unable to read it

woot people are using logstash/kibana at seatgeek

its becoming useful!

thanks to our philipcristiano's circus integration

woo!

philsturgeon: I have never worked with chef, so I have no suggestions there.

savant: circus? is he opsopsopsopsopsopsing again?

rap424: nothing chef specific, i just want one command to let logstash work in the adm group (and have it actually work) instead of have to list out every single file i want it to read manually spread across multiple nodes. your way works, but its tough to do chef-style.

philsturgeon: does the logstash user have the adm as a primary group?

rap424: secondary (i think?)

you can use newgrp to setgid to another group you're in

http://pastebin.com/6m3BnyZL <-- example

Title: % id | fex ' /gid/' gid=1000(jls) % newgrp adm what:~$ id | fex ' /gid/' - Pastebin.com (at pastebin.com)

savant: basically this http://serverfault.com/questions/527706/logstas...

Title: ubuntu - Logstash cant read files it should have access too - Server Fault (at serverfault.com)

stackexchange sites--

philsturgeon: how many files are oyu having logstash watch?

whack: gotta document it somewhere

whack: 3 right now

whack: all in the adm group

(which ive never heard of until today)

philsturgeon: the logstash-users mailing list is a much better place to ask those questions (or here, too) for what it's worth :)

aanyway!

I feel like logstash is too much of a niche application to get a good answer from a stackexchange site

philsturgeon: can you pastebin the output of 'ls -ld' all parent directories?

ls -ld /var/log/nginx /var/log /var /

and for the logstash process, grep 'Gid:' /proc/LOGSTASH_PID/status

whack: http://pastebin.com/WksxZ01E

Title: drwxr-xr-x 23 root root 4096 Jul 31 16:44 / drwxr-xr-x 16 root root 409 - Pastebin.com (at pastebin.com)

there's your problem

just kidding ;) but we'll figure it out

dammit!

well, Gid:999999999999

999 = logstash user, i spotted that before

can you 'sudo -u LOGSTASH_USER stat /var/log/nginx/foo-access.log' ?

is apparmor running

whack: dunno what apparmor is

apparmor is like selinux but ubuntu uses it

whack: ive not specifically installed it. here is that output http://pastebin.com/RpRhbL1j

Title: root@ip-10-4-106-246:/var/log# sudo -u logstash stat /var/log/nginx/kapture-api3 - Pastebin.com (at pastebin.com)

philsturgeon: hmm, try 'sudo -u logstash cat /var/log/nginx/kapture-api3-access.log' ?

whack: yeah it can read it

sudo -u logstash java -jar logstash.jar agent -e 'input { file { path => "/var/log/nginx/kapture-api3" type => foo } }' ?

philsturgeon: try this

sudo -u logstash java -jar logstash.jar irb

that'll give oyu a ruby shell

whack: im in

try File.new("whatever") for your log path

whack: Errno::ENOENT: No such file or directory - /var/log/foo

New news from newjiraissues: Chris Denneen created LOGSTASH-1238 - Option successful output <https://logstash.jira.com/browse/LOGSTASH-1238>;

philsturgeon: and that file exists?

whack: ahh mistake

whack: tried it on /var/log/nginx/kapture-api3-access.log (the file in question) and its ok

=> #<File:/var/log/nginx/kapture-api3-access.log>

philsturgeon: hmmm

and sudo -u logstash java -jar logstash.jar agent -f yourconfig fails?

whack: yeah every time. fills up logs with {:timestamp=>"2013-07-31T17:05:17.302000+0000", :message=>"failed to open /var/log/nginx/kapture-api3-error.log: Permission denied - /var/log/nginx/kapture-api3-error.log", :level=>:warn}

try strace -e trace=file -p <LOGSTASHPID>

see if that shows you what's really failing?

whack: im not sure how that bit works

Title: Droplr Screenshot on 2013-07-31 at 14.11.24.png (at d.pr)

its not doing much

if i restart logstash_agent to make it do anything, its got a diff pid of course

presuming sudo -u logstash cat /var/log/nginx/kapture-api3-error.log - works fine so its some weird issue and permission denied is not file system permissions

eper: yeah thats what im confused about. that user can read the file, but logstash says that user cant read the file

find it weird strace is not producing output

could you not start it with strace

eper: sorry? not start it?

philsturgeon: its the permissions of the file

0640

nemish: i dont know if thats true. the user CAN read the file, but logstash says it cant

owned by www-data:adm