Permissions denied error in log parser for httpd

Hello All,

i am trying to using influx plugin logparser to track httpd logs in > /var/log/httpd/access_log

after modification of the same i get permission denied error as for telegraf not able to access this file

Can anyone assist?

@Sunil_Jacob Have you checked your permissions on the file as well as the telegraf process?

Hi @jackzampolin the file is having the permission of root

-rw-r–r-- 1 root root 2611 Jun 7 18:37 access_log

@Sunil_Jacob is telegraf running as root? Can you paste the exact error from telegraf?

2017-06-07T23:34:40Z E! Error: procstat getting process, exe: pidfile: pattern: [httpd] user: Failed to execute /usr/bin/pgrep. Error: ‘exit status 1’
2017-06-07T23:34:50Z E! Error: procstat getting process, exe: pidfile: pattern: [httpd] user: Failed to execute /usr/bin/pgrep. Error: ‘exit status 1’
2017/06/07 23:42:20 E! Error parsing /etc/telegraf/telegraf.conf, line 1869: field corresponding to measurement' is not defined in *logparser.LogParserPlugin’

1847 # ## Log files to parse.
1848 # ## These accept standard unix glob matching rules, but with the addition of
1849 # ## ** as a “super asterisk”. ie:
1850 # ## /var/log/**.log → recursively find all .log files in /var/log
1851 # ## /var/log//.log → find all .log files with a parent dir in /var/log
1852 # ## /var/log/apache.log → only tail the apache log file
1853 files = [“/var/log/httpd/access_log”]
1854 # ## Read file from beginning.
1855 from_beginning = true
1856 # name_override = “httpd_access_log”
1857 #
1858 # ## Parse logstash-style “grok” patterns:
1859 # ## Telegraf built-in parsing patterns:
1860 # [inputs.logparser.grok]
1861 # ## This is a list of patterns to check the given log file(s) for.
1862 # ## Note that adding patterns here increases processing time. The most
1863 # ## efficient configuration is to have one pattern per logparser.
1864 # ## Other common built-in patterns are:
1865 # ## %{COMMON_LOG_FORMAT} (plain apache & nginx access logs)
1866 # ## %{COMBINED_LOG_FORMAT} (access logs + referrer & agent)
1867 patterns = [“%{COMBINED_LOG_FORMAT}”]
1868 # ## Name of the outputted measurement name.
1869 measurement = “apache_access_log”
1870 # ## Full path(s) to custom pattern files.
1871 # custom_pattern_files =
1872 # ## Custom patterns can also be defined here. Put one pattern per line.
1873 # custom_patterns = ‘’’
1874 # ‘’’

@Sunil_Jacob It looks like you have a misconfigured logparser plugin not a permissions issue. It looks like the permissions issue is coming from the procstat plugin…

@jackzampolin it would be great if you could help me on the same

@Sunil_Jacob Your logparser config should look as follows:

  files = ["/var/log/httpd/access_log"]
  from_beginning = false
    patterns = ["%{COMBINED_LOG_FORMAT}"]
    measurement = "apache_access_log"
    custom_pattern_files = []
    custom_patterns = '''

i did the same but not working

EDIT: This is a different error probably. I would say that you should make sure that all logs have correct permissions. I would not recommend giving an agent that runs on multiple hosts root priv.

Because I spent far too much time working on this. Even though this post is old, still going to add solution. In the log we were having similar issues and as a result, host was not showing in chronograf or influx as it causes the agent to fail.

sudo groupadd Telegraf
sudo setfacl -m g:Telegraf:r /var/log/secure
sudo setfacl -m g:Telegraf:r /var/log/yum.log
sudo usermod -a -G Telegraf telegraf
sudo service telegraf restart

Service/agent now starts clean on host and begins reporting data

Followed Steven’s suggested steps…but still my logparser is unable to read nginx’s access.log. I get permission denied.

How to fix?

Thanks in Advance.

I’m having same issue as @Krishna_Chaitanya Followed the steps on one Ubuntu server and one Debian 9 that @Steven_Lattin offered.
tail /etc/passwd => telegraf:x:999:999::/etc/telegraf:/bin/false
groups telegraf => telegraf : telegraf sudo Telegraf

ls -al /var/log/apache2/main.access.log returns

Using sudo setfacl -m g:Telegraf:r /var/log/apache2/main.access.log
And then
getfacl var/log/apache2/main.access.log
file: var/log/apache2/main.access.log
owner: root
group: root

And I have also copied/pasted the absolute path to ensure that goof wasn’t the reason. So is my use of setfacl incorrect?

Does anyone have the solution?
I have the same problem .
I already started the telegraf with root, I gave the necessary permissões,but I still have access denied.

Hi @Rafael_Braganca ,

what was the command you used to start telegraf with the root user ?
Do you see a telegraf process running started with root ?

@sam452 , can you access the file when you connect as user telegraf ? Have you restarted telegraf ?

Focusing on ubuntu xenial, I’m using service telegraf restart after each change in my /etc/telegraf/telegraf.conf file.
So, since we’re talking systemd here, this is the [Service] contents of /etc/

EnvironmentFile=-/etc/default/telegraf User=telegraf ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure RestartForceExitStatus=SIGPIPE KillMode=control-group

Here’s the rub on the telegraf user. Following other tutorials, I find that while the telegraf user is a user, it does not have the home directory and does not have listing in the /etc/sudoers file.
Attempting to su - telegraf returns me to the command prompt of the current user, not the telegraf user so I’m unable to assume the telegraf user to test as you suggest. I perceived it was because those type of users only exist to do certain tasks and not to act as a normal user. Please correct me, if needed. Thx.

hi , you can maybe test the telegraf user’s permissions as follows :

sudo -u telegraf head /tmp/
head: cannot open ‘/tmp/’ for reading: Permission denied

sudo -u telegraf head /tmp/
[17-Jul-2019 21:10:25 UTC] my greedy error message

Thank you for the pointers. In my case, none of those files exist in my /tmp directory. Following on this, running
sudo -u telegraph head var/log/apache2/main.access.logreturns the head: cannot open '/var/log/apache2/access.log' for reading: Permission denied

What other data could I provide to help isolate my issue? sam

Is telegraph a typo ? ( in the service it is telegraf )

if not then you have just isolated the issue …

can you do :

ls -al /var/log/apache2/access.log

Yes, certainly that was a typo.

ls -al /var/log/apache2/access.log

-rw-r----- 1 root adm 3264 Jul 17 11:43 /var/log/apache2/access.log
The debian log shows root:root instead of Ubuntu’s root:adm above.

Oh, I neglected to answer one of your earlier Q’s. In top, I can see that telegraf is running under the telegraf user.