The default install of logstash doesn't work. However, when copying the included conf file from /usr/share/logstash/agent.conf to /etc/logstash/conf.d/, the naive user gets: "fuji-02 logstash # tail /var/log/logstash/logstash-plain.log [2017-05-17T17:56:08,670][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000} [2017-05-17T17:56:08,772][INFO ][logstash.pipeline ] Pipeline main started [2017-05-17T17:56:08,784][WARN ][logstash.inputs.file ] failed to open /var/log/dracut.log: Permission denied - /var/log/dracut.log [2017-05-17T17:56:08,786][WARN ][logstash.inputs.file ] failed to open /var/log/emerge-fetch.log: Permission denied - /var/log/emerge-fetch.log [2017-05-17T17:56:08,786][WARN ][logstash.inputs.file ] failed to open /var/log/emerge.log: Permission denied - /var/log/emerge.log [2017-05-17T17:56:08,788][WARN ][logstash.inputs.file ] failed to open /var/log/lxdm.log: Permission denied - /var/log/lxdm.log [2017-05-17T17:56:08,789][WARN ][logstash.inputs.file ] failed to open /var/log/lynis.log: Permission denied - /var/log/lynis.log [2017-05-17T17:56:08,792][WARN ][logstash.inputs.file ] failed to open /var/log/vsftpd.log: Permission denied - /var/log/vsftpd.log [2017-05-17T17:56:08,794][WARN ][logstash.inputs.file ] failed to open /var/log/messages: Permission denied - /var/log/messages [2017-05-17T17:56:08,795][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} fuji-02 logstash # " Perhaps some group membership adjustment for the logstash user is in order? Thanks.
Hi Jesse. It's really hard to define what is a "default" installation for logstash. Sometimes you read logs, sometimes you just listen on a socket. We have a warning in the ebuild that you need to change LS_USER and LS_GROUP to root if you wish to read logs for example. I think I will extend the sample with more stuff and adding a warning in the beginning of the file that you need to run this as root. Will that be ok or what do you suggest?
I've added a note to the 5.4.0 release about the sample config location and a warning that root access may be needed. Is that ok? https://github.com/gentoo/gentoo/pull/4744