I am trying to get filebeat (for logstash forwarding) on a CentOS 7 environment to run under my created user account: filebeat instead of root. I tried editing the /etc/rc.d/init.d/filebeat file to the following but to no avail. I might be doing something wrong but still a bit new to BASH scripting that I might be putting it in the wrong place? I attempted to follow suggested implementation instructions located here
我正在尝试让CentOS 7环境中的filebeat(用于日志存储转发)在我创建的用户帐户:filebeat而不是root下运行。我试着编辑/etc/ rc.d/init。d/filebeat文件到下列文件,但无济于事。我可能做错了什么,但对于攻击脚本来说,我可能把它放在了错误的地方,这仍然是一个新的问题。我试图按照这里的建议执行说明
For brevity, I am only showing the first part of the mentioned file as the latter parts are unchanged:
为了简单起见,我只展示了上述文件的第一部分,因为后面的部分没有变化:
#!/bin/bash
#
# filebeat filebeat shipper
#
# chkconfig: 2345 98 02
#
### BEGIN INIT INFO
# Provides: filebeat
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Sends log files to Logstash or directly to Elasticsearch.
# Description: filebeat is a shipper part of the Elastic Beats
# family. Please see: https://www.elastic.co/products/beats
### END INIT INFO
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
[ -f /etc/sysconfig/filebeat ] && . /etc/sysconfig/filebeat
pidfile=${PIDFILE-/var/run/filebeat.pid}
agent=${PB_AGENT-/usr/bin/filebeat}
args="-c /etc/filebeat/filebeat.yml"
test_args="-e -configtest"
wrapper="filebeat-god"
wrapperopts="-r / -n -p $pidfile"
RETVAL=0
service_user="filebeat"
# Source function library.
. /etc/rc.d/init.d/functions
# Determine if we can use the -p option to daemon, killproc, and status.
# RHEL < 5 can't.
if status | grep -q -- '-p' 2>/dev/null; then
daemonopts="--user $service_user --group $service_group --pidfile $pidfile"
**chown -R $service_user /etc/filebeat || return 1
chown $service_user $pidfile || return 1
chmod g+w $pidfile || return 1**
pidopts="-p $pidfile"
touch
fi
Previously I created a user account filebeat using similar to the following:
之前我创建了一个用户帐户filebeat,使用类似于以下内容:
useradd filebeat -u 5044 -c "Filebeat Service Account" -d /dev/null -s /sbin/nologin
However, when I try and take a look at the process after starting it still shows as being owned by root:
然而,当我试着在开始后查看这个过程时,它仍然显示为root所有:
[root@testvm ~]# ps -aef | grep filebeat
root 26030 1 0 13:16 ? 00:00:00 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
1 个解决方案
#1
2
On RHEL/CentOS 7, systemd manages the service so the init.d files are not used. You should modify the unit file for Filebeat in order to run the service as a different user. The unit file is installed at /lib/systemd/system/filebeat.service.
在RHEL/CentOS 7上,systemd管理服务,以便init。不使用d文件。您应该修改Filebeat的单元文件,以便以不同的用户运行服务。单元文件安装在/lib/systemd/system/filebeat.service上。
You need to add a User option to the Service section.
您需要向服务部分添加一个用户选项。
[Service]
User=<username>
The user must have read permissions on the log files and must have search permissions (the execute bit) on the directory containing the log files. Filebeat uses stat to collect the inode of the file and stat requires the execute permissions on the directory according to its man page.
用户必须在日志文件上读取权限,并且必须在包含日志文件的目录上具有搜索权限(执行位)。Filebeat使用stat来收集文件的inode,而stat需要根据其手册页对目录执行权限。
#1
2
On RHEL/CentOS 7, systemd manages the service so the init.d files are not used. You should modify the unit file for Filebeat in order to run the service as a different user. The unit file is installed at /lib/systemd/system/filebeat.service.
在RHEL/CentOS 7上,systemd管理服务,以便init。不使用d文件。您应该修改Filebeat的单元文件,以便以不同的用户运行服务。单元文件安装在/lib/systemd/system/filebeat.service上。
You need to add a User option to the Service section.
您需要向服务部分添加一个用户选项。
[Service]
User=<username>
The user must have read permissions on the log files and must have search permissions (the execute bit) on the directory containing the log files. Filebeat uses stat to collect the inode of the file and stat requires the execute permissions on the directory according to its man page.
用户必须在日志文件上读取权限,并且必须在包含日志文件的目录上具有搜索权限(执行位)。Filebeat使用stat来收集文件的inode,而stat需要根据其手册页对目录执行权限。