Closed tn20000 closed 11 months ago
Not in the binaries, could you add the loki promtail user to the ossec group so you can read alerts.log/json? Thats how Ive seen it done with other tools
I ended up using acl to make the OSSEC logs folder belong to the adm group in addition to the ossec group, also made the default acl belong to adm group so that any newly created files/folders belong to the adm group as well. Closing this issue
Is there any way to change OSSEC_GROUP (user group OSSEC is run under) if I install through apt?
I have this use case where I'm trying to scrape OSSEC logs along with some other logs using Loki promtail. Usually in Ubuntu, logs belong to the user group
adm
, so I can scrape most logs if I run promtail as a user under theadm
user group. However, OSSEC logs belong to the user groupossec
, and I haven't found anyway to change this group ownership without installing it from source. If I just change the folder group ownership toadm
, OSSEC will fail to start since it's not able to validate the config file (no read permission). Is there a good way to resolve this issue?