10

I've added user logstash into group adm using the command $ usermod -a -G adm logstash.

One of the files that the logstash agent is trying to read is /var/log/nginx/foo-access.log, which has the following permissions:

-rw-r----- 1 www-data adm 0 Jul 25 07:52 /var/log/nginx/foo-access.log

When I sudo su logstash I can read the file, BUT, when I $ sudo service logstash_agent restart (which the init script runs as the logstash user) it fills up the logstash logs with:

{:timestamp=>"2013-07-31T17:05:17.287000+0000", :message=>"failed to open /var/log/nginx/foo-access.log: Permission denied - /var/log/nginx/foo-access.log", :level=>:warn}

I can confirm the logstash user is in the adm group:

$ groups logstash
logstash : logstash adm

This file definitely has the right file access:

$ getfacl /var/log/nginx/foo-access.log
getfacl: Removing leading '/' from absolute path names
# file: var/log/nginx/foo-access.log
# owner: www-data
# group: adm
user::rw-
group::r--
other::---

I've tried turning it off and on again.

Rockstar04
  • 153
  • 4
Phil Sturgeon
  • 291
  • 1
  • 3
  • 12

2 Answers2

5

It turned out to be related to this bug in upstart:

https://bugs.launchpad.net/upstart/+bug/812870

Because adm was a secondary group it was not being applied to the process, which is broken as f**k and is apparently fixed in a later version.

My solution was to add setguid adm to the init file.

Phil Sturgeon
  • 291
  • 1
  • 3
  • 12
5

Here is a working workaround:

sudo vi /etc/init.d/logstash

modify

    LS_GROUP=logstash

by

    LS_GROUP=adm

then

sudo /etc/init.d/logstash start
David
  • 151
  • 1
  • 1
  • 1
    Also works by adding "LS_GROUP=adm" to /etc/defaults/logstash - the nice part about that is that it's easier to manage using puppet . – thinice Apr 13 '15 at 19:47