I managed it by putting logstash user in the ossec group. Not nice but works.
On 12/30/2014 03:27 PM, Glenn Ford wrote: > How did you securely configure to get around the fact OSSEC permissions > don't allow access to that file? > > I believe the reason this isn't working for me is because the file is > not accessible (logstash shows no errors running, aggravating). > > I temporarily modified logstash to allow login and tried this: > > ]# su - logstash > -bash-4.1$ pwd > /opt/logstash > -bash-4.1$ stat /var/ossec/logs/alerts/alerts.log > stat: cannot stat `/var/ossec/logs/alerts/alerts.log': Permission denied > > > > On Saturday, March 8, 2014 5:02:35 PM UTC-5, Joshua Garnett wrote: > > To address this issue I've put together a logstash config that will > read the alerts from /var/ossec/logs/alerts/alerts.log. On top of > solving the reliability issue, it also fixes issues with multi-lines > being lost, and adds geoip lookups for the src_ip. I tested it > against approximately 1GB of alerts (3M events). > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
