Run Logstash as a Non-Root User on Ubuntu

byGonzalo Marcos -

In previous posts, we explored in great detail what Logstash is and how to use it, mainly to transform and forward our logs.

Logstash is a powerful data pipeline tool. It ingests data, transforms it, and ships it to your desired destination. In previous versions, by default, Logstash ran as the root user. That’s risky. For that reason, with the latest versions (v9+), Logstash cannot be run as superuser. 

Whether you need it for newer versions or not, running Logstash as non root user is a good idea. Running Logstash without root reduces attack surfaces. It limits accidental damage. It aligns with security best practices.

In this blog post, we will see how we can run Logstash under a different user, avoiding superuser access.


1. Create a Dedicated System User

We start by creating a new user for Logstash. This user has no password, no login shell, and no home directory. It exists only to run Logstash.

sudo adduser --system --no-create-home --group --disabled-login logstashuser


2. Give the Right Permissions

Now we assign the correct ownership to the Logstash folders. We ensure logstashuser can read and write what it needs. Run these commands:

sudo chown -R logstashuser:logstashuser /usr/share/logstash
sudo chown -R logstashuser:logstashuser /etc/logstash
sudo chown -R logstashuser:logstashuser /var/log/logstash
sudo chown -R logstashuser:logstashuser /var/lib/logstash
sudo chmod -R 755 /usr/share/logstash

This step grants access but keeps the rest of the system locked down.


3. Run Logstash Without Root

Now we start Logstash as our new user. Replace the config path with your own.

sudo -u logstashuser /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/pipeline.conf

If Logstash needs Java, we can provide it:

sudo -u logstashuser bash -c "export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 && /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/pipeline.conf"

This command launches Logstash in user space. No root access. No elevated risks.


4. Run Logstash as a Service (Optional)

To run Logstash as a service under our new user, we edit the systemd unit file:

sudo nano /etc/systemd/system/logstash.service

Find the [Service] section. Add or change these lines:

User=logstashuser
Group=logstashuser

Then reload systemd:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart logstash

Logstash now runs in the background, managed by systemd, under our custom user.


5. Verify the Process

Run this to confirm:

ps -ef | grep logstash

You should see logstashuser as the owner.

You may like these posts

Previous Post Next Post