the *beats daemons should probably not run as root
Running as nobody is not correct since the daemons own files in /var/db/beats/*beat. Hence the correct way is probably to create a `beats' user and ditto group. That way, admins can allow the beats group read access to log files that are not world readable, for example.
Thoughs on this?
*** Bug 217081 has been marked as a duplicate of this bug. ***
I had a similar thought, but that means you need to put beats user into groups that own various log files, etc. I think on Linux everyone runs it as root, but I need to do some more research. That's not a great excuse for running it as root, but if I am correct it would mean we diverge from other platforms.
At least beats doesn't open a listening socket on the network...