diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 79548f92739..3fc21ca5f1f 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -136,6 +136,7 @@ https://github.com/elastic/beats/compare/v5.5.3...v5.6.0[View commits] *Affecting all Beats* - Add option to the import_dashboards script to load the dashboards via Kibana API. {pull}4682[4682] +- Add `logging.files` `permissions` option. {pull}4295[4295] *Filebeat* diff --git a/filebeat/filebeat.full.yml b/filebeat/filebeat.full.yml index 6cf003d8eba..bf1a2fb2968 100644 --- a/filebeat/filebeat.full.yml +++ b/filebeat/filebeat.full.yml @@ -1017,3 +1017,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 diff --git a/heartbeat/heartbeat.full.yml b/heartbeat/heartbeat.full.yml index 93f45856080..70e12dbc565 100644 --- a/heartbeat/heartbeat.full.yml +++ b/heartbeat/heartbeat.full.yml @@ -852,3 +852,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 diff --git a/libbeat/_meta/config.full.yml b/libbeat/_meta/config.full.yml index 38cafc8d725..72bc1997536 100644 --- a/libbeat/_meta/config.full.yml +++ b/libbeat/_meta/config.full.yml @@ -654,3 +654,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc index 2a27cf7d5c0..62c8691d313 100644 --- a/libbeat/docs/loggingconfig.asciidoc +++ b/libbeat/docs/loggingconfig.asciidoc @@ -27,6 +27,7 @@ logging.files: path: /var/log/mybeat name: mybeat.log keepfiles: 7 + permissions: 0600 ------------------------------------------------------------------------------ TIP: In addition to setting logging options in the config file, you can modify @@ -124,6 +125,21 @@ The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The `keepfiles` options has to be in the range of 2 to 1024 files. +===== files.permissions + +The permissions mask to apply when rotating log files. The default value is 0600. The +`permissions` value must be a valid Unix-style file permissions mask expressed +in octal notation. In YAML, numbers in octal notation must start with '0'. + +Examples: + +* 0600: give read and write access to the file owner, and no access to all +others (default). +* 0644: give read and write access to the file owner, and read access to all +others. +* 0664: give read and write access to the file owner and members of the group +associated with the file, as well as read access to all other users. + ==== Logging Format The logging format is different for each logging type: diff --git a/libbeat/logp/file_rotator.go b/libbeat/logp/file_rotator.go index af191d3b275..0cb05077d59 100644 --- a/libbeat/logp/file_rotator.go +++ b/libbeat/logp/file_rotator.go @@ -17,6 +17,7 @@ type FileRotator struct { Name string RotateEveryBytes *uint64 KeepFiles *int + Permissions *uint32 current *os.File currentSize uint64 @@ -42,7 +43,7 @@ func (rotator *FileRotator) CreateDirectory() error { func (rotator *FileRotator) CheckIfConfigSane() error { if len(rotator.Name) == 0 { - return fmt.Errorf("File logging requires a name for the file names") + return fmt.Errorf("file logging requires a name for the file names") } if rotator.KeepFiles == nil { rotator.KeepFiles = new(int) @@ -54,7 +55,11 @@ func (rotator *FileRotator) CheckIfConfigSane() error { } if *rotator.KeepFiles < 2 || *rotator.KeepFiles >= RotatorMaxFiles { - return fmt.Errorf("The number of files to keep should be between 2 and %d", RotatorMaxFiles-1) + return fmt.Errorf("the number of files to keep should be between 2 and %d", RotatorMaxFiles-1) + } + + if rotator.Permissions != nil && (*rotator.Permissions > uint32(os.ModePerm)) { + return fmt.Errorf("the permissions mask %d is invalid", *rotator.Permissions) } return nil } @@ -134,7 +139,7 @@ func (rotator *FileRotator) Rotate() error { if rotator.FileExists(fileNo + 1) { // next file exists, something is strange - return fmt.Errorf("File %s exists, when rotating would overwrite it", rotator.FilePath(fileNo+1)) + return fmt.Errorf("file %s exists, when rotating would overwrite it", rotator.FilePath(fileNo+1)) } err := os.Rename(path, rotator.FilePath(fileNo+1)) @@ -145,7 +150,7 @@ func (rotator *FileRotator) Rotate() error { // create the new file path := rotator.FilePath(0) - current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600) + current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, os.FileMode(rotator.getPermissions())) if err != nil { return err } @@ -158,3 +163,10 @@ func (rotator *FileRotator) Rotate() error { return nil } + +func (rotator *FileRotator) getPermissions() uint32 { + if rotator.Permissions == nil { + return 0600 + } + return *rotator.Permissions +} diff --git a/libbeat/logp/file_rotator_test.go b/libbeat/logp/file_rotator_test.go index 6df204bbbfe..d4d82805802 100644 --- a/libbeat/logp/file_rotator_test.go +++ b/libbeat/logp/file_rotator_test.go @@ -160,4 +160,17 @@ func TestConfigSane(t *testing.T) { } assert.NotNil(t, rotator.CheckIfConfigSane()) + perms := uint32(0544) + rotator = FileRotator{ + Name: "test2", + Permissions: &perms, + } + assert.Nil(t, rotator.CheckIfConfigSane()) + + perms = uint32(077777) + rotator = FileRotator{ + Name: "test2", + Permissions: &perms, + } + assert.NotNil(t, rotator.CheckIfConfigSane()) } diff --git a/metricbeat/metricbeat.full.yml b/metricbeat/metricbeat.full.yml index ca5ad67cb8e..2a925939073 100644 --- a/metricbeat/metricbeat.full.yml +++ b/metricbeat/metricbeat.full.yml @@ -965,3 +965,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 diff --git a/packetbeat/packetbeat.full.yml b/packetbeat/packetbeat.full.yml index e5831b9759b..b4300e53cb6 100644 --- a/packetbeat/packetbeat.full.yml +++ b/packetbeat/packetbeat.full.yml @@ -1108,3 +1108,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 diff --git a/winlogbeat/winlogbeat.full.yml b/winlogbeat/winlogbeat.full.yml index 640cbfb487e..bae2a0dea30 100644 --- a/winlogbeat/winlogbeat.full.yml +++ b/winlogbeat/winlogbeat.full.yml @@ -683,3 +683,6 @@ logging.files: # Number of rotated log files to keep. Oldest files will be deleted first. #keepfiles: 7 + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600