So you’re ready to rock out Logstash to ship your logs – there’s one little headache: You still need to give it access to your files. Chances are, you want “all of the files!”
The internet will (at the moment) instruct you to use “setfacl”, or various chown/chmod techniques or even add logstash to various groups.
READ THIS TECHNIQUE FIRST!
Why setfacl won’t work
Logrotate can be scripted, but sudo-io (sudo logging) can’t. There are other exceptions where logs not managed by logrotate don’t persist setfacl settings.
Why chmod/chown and adding “logstash” to groups its a bad idea
You’re making too many exceptions, and relinquishing flexibility to give access to the logs in a normal basis. (meaning, not using something like setfacl, but instead normal linux groups)
Then what works best?
It’s so clean and tidy: either through mount –bind or bindfs.
Feast your eyes on this:
mount --bind /var/log /srv/logstash-data
mount -o remount,ro,uid=123,gid=123 /srv/logstash-data
OR (in the case of ext4)
bindfs -u logstash -g nogroup -p 0000,u=rD /var/log /srv/logstash-data
You’re given a tidy ‘ro’ binding of the /var/log dir ONLY readable by the logstash reader.
I hope this helps those who want to ship “all of the things!” – this is a good separation of concerns for managing logstash access.
‘bindfs’ is available in the default Debian repos as well!