Plugin fails with permission denied error
mirceastoian opened this issue · 1 comments
Logstash information:
- Logstash version: 7.17.9
- Logstash installation source: deb
- How is Logstash being run: systemd
- How was the Logstash Plugin installed:
sudo /usr/share/logstash/bin/logstash-plugin install logstash-output-elasticsearch - logstash-output-elasticsearch version: 11.19.0
JVM:
Bundled JDK
openjdk version "17.0.9" 2023-10-17
OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode, sharing)
OS version:
Linux rpi4srv2 6.1.0-rpi6-rpi-v8 #1 SMP PREEMPT Debian 1:6.1.58-1+rpt2 (2023-10-27) aarch64 GNU/Linux
Description of the problem including expected versus actual behavior:
Plug-in fails with the error as show in the log excerpt and keeps retrying.
Permissions look good.
/etc/logstash/conf.d/wazuh-elasticsearch.conf:
input {
file {
id => "wazuh_alerts"
codec => "json"
start_position => "beginning"
stat_interval => "1 second"
path => "/var/ossec/logs/alerts/alerts.json"
mode => "tail"
ecs_compatibility => "disabled"
}
}
output {
elasticsearch {
hosts => "elasticsearch"
index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}"
user => '${ELASTICSEARCH_USERNAME}'
password => '${ELASTICSEARCH_PASSWORD}'
ssl => true
cacert => "/etc/logstash/certs/ca.cer"
template => "/etc/logstash/templates/wazuh.json"
template_name => "wazuh"
template_overwrite => true
}
}
Alerts file permissions:
-rw-rw---- 2 wazuh wazuh 447351 Nov 22 18:06 /var/ossec/logs/alerts/alerts.json
logstash user is in wazuh group
Provide logs (if relevant):
[2023-11-22T17:53:56,162][INFO ][filewatch.observingtail ][main][wazuh_alerts] START, creating Discoverer, Watch with file and sincedb collections
[2023-11-22T17:53:56,165][ERROR][logstash.javapipeline ][main][wazuh_alerts] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::File start_position=>"beginning", mode=>"tail", codec=><LogStash::Codecs::JSON id=>"json_8f7b39d1-927e-4299-ab3c-9d83575efb86", enable_metric=>true, charset=>"UTF-8">, path=>["/var/ossec/logs/alerts/alerts.json"], id=>"wazuh_alerts", stat_interval=>1.0, ecs_compatibility=>:disabled, enable_metric=>true, discover_interval=>15, sincedb_write_interval=>15.0, delimiter=>"\n", close_older=>3600.0, file_completed_action=>"delete", sincedb_clean_after=>1209600.0, file_chunk_size=>32768, file_chunk_count=>140737488355327, file_sort_by=>"last_modified", file_sort_direction=>"asc", exit_after_read=>false, check_archive_validity=>false>
Error: Permission denied - Permission denied
Exception: Errno::EACCES
Stack: org/jruby/RubyFile.java:1323:in `utime'
/usr/share/logstash/vendor/jruby/lib/ruby/stdlib/fileutils.rb:1132:in `block in touch'
org/jruby/RubyArray.java:1987:in `each'
/usr/share/logstash/vendor/jruby/lib/ruby/stdlib/fileutils.rb:1129:in `touch'
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.5/lib/filewatch/sincedb_collection.rb:22:in `initialize'
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.5/lib/filewatch/observing_base.rb:62:in `build_watch_and_dependencies'
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.5/lib/filewatch/observing_base.rb:56:in `initialize'
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.5/lib/logstash/inputs/file.rb:352:in `start_processing'
/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.5/lib/logstash/inputs/file.rb:368:in `run'
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:414:in `inputworker'
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:405:in `block in start_input'
Apologies, moving to https://discuss.elastic.co/c/logstash