A better way to give Logstash permissions to your logs

So you’re ready to rock out Logstash to ship your logs – there’s one little headache: You still need to give it access to your files. Chances are, you want “all of the files!”

The internet will (at the moment) instruct you to use “setfacl”, or various chown/chmod techniques or even add logstash to various groups.

READ THIS TECHNIQUE FIRST!

Why setfacl won’t work

Logrotate can be scripted, but sudo-io (sudo logging) can’t. There are other exceptions where logs not managed by logrotate don’t persist setfacl settings.

Why chmod/chown and adding “logstash” to groups its a bad idea

You’re making too many exceptions, and relinquishing flexibility to give access to the logs in a normal basis. (meaning, not using something like setfacl, but instead normal linux groups)

Then what works best?

It’s so clean and tidy: either through mount –bind or  bindfs.
Feast your eyes on this:

 

OR (in the case of ext4)

You’re given a tidy ‘ro’ binding of the /var/log dir ONLY readable by the logstash reader.

I hope this helps those who want to ship “all of the things!” – this is a good separation of concerns for managing logstash access.

‘bindfs’ is available in the default Debian repos as well!

 

Leave a Reply

Your email address will not be published. Required fields are marked *