the *beats daemons should probably not run as root Running as nobody is not correct since the daemons own files in /var/db/beats/*beat. Hence the correct way is probably to create a `beats' user and ditto group. That way, admins can allow the beats group read access to log files that are not world readable, for example. Thoughs on this? Palle
*** Bug 217081 has been marked as a duplicate of this bug. ***
I had a similar thought, but that means you need to put beats user into groups that own various log files, etc. I think on Linux everyone runs it as root, but I need to do some more research. That's not a great excuse for running it as root, but if I am correct it would mean we diverge from other platforms. At least beats doesn't open a listening socket on the network...
(In reply to Mark Felder from comment #2) I can second that. beats needs various open files that might not be accessible from non-root user. Like logs, /proc entries, and such.
I does not *always* need special privileges. There are a number of cases when it sends world-readable logs. Add an ability to change user (probably with root as default) would be handy.