I have logstash http://logstash.net/docs/1.4.2/ installed from Elasticsearch's repository http://logstash.net/docs/1.4.2/repositories. I want logstash to parse /var/log/messages and /var/log/syslog. I have configured logstash to read those files but I get some errors in logstash's log:
Code: Select all
"failed to open /var/log/syslog: Permission denied - /var/log/syslog", :level=>:warn}
Code: Select all
-rw-r----- 1 root adm <size> Jul 25 21:00 messages
-rw-r----- 1 root adm <size> Jul 25 21:09 syslog
I added user 'logstash' to group 'adm'.
Code: Select all
root# groups logstash
logstash : logstash adm
logstash's entry in /etc/passwd looks like this:
Code: Select all
logstash:x:999:999:LogStash Service User:/var/lib/logstash:/sbin/nologin
Code: Select all
logstash:x:999:999:LogStash Service User:/var/lib/logstash:/bin/sh
When logstash is running from the init.d script it doesn't count as a 'login' - it does not appear in the output of
Code: Select all
root# last|grep logstash
Maybe there is something special about the adm group that I'm missing?
I do not wish to reboot the machine.
Thanks for any insight you may have into this!! I hope I'm overlooking something simple.