If you set up logstash to monitor /var/log, you may get errors like this:
{:timestamp=>"2015-12-21T17:21:42.809000+0000", :message=>"failed to open /var/log/auth.log: Permission denied - /var/log/auth.log", :level=>:warn} {:timestamp=>"2015-12-21T17:21:42.828000+0000", :message=>"failed to open /var/log/kern.log: Permission denied - /var/log/kern.log", :level=>:warn}
Fortunately this is easy to fix – by default logstash creates it’s own user and group, and you can add it’s user to the group that owns these log files:
sudo usermod -a -G adm logstash
sudo service logstash restart