Filebeat Error Guide: 'Harvester could not be started ... permission denied' — Fix Log File Access
Fix Filebeat 'Harvester could not be started ... permission denied': grant read access to log files and directories, fix ownership, ACLs, and SELinux.
- #filebeat
- #logging
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
Filebeat logs this when a harvester tries to open a file it has matched with a glob but the OS refuses the open() call. The event is logged per file and the file is skipped, so no lines from it are ever shipped:
Harvester could not be started on new file: /var/log/app/app.log, Err: error setting up harvester: Harvester setup failed. Unexpected file opening error: open /var/log/app/app.log: permission denied
The harvester is the component that reads a single file. When open() returns EACCES, Filebeat cannot read the file’s contents even though the path exists and matched an input path pattern. Filebeat itself keeps running and continues harvesting every other file it can read, which is why this often goes unnoticed until logs from one application silently stop arriving.
Symptoms
- Logs from a specific file or directory never appear in Elasticsearch/Logstash, while other inputs work fine.
journalctl -u filebeatshows repeatedpermission deniedharvester errors, one line per unreadable file.- The path clearly exists and matches the input
paths:glob when you check by hand. - Running Filebeat manually as
rootworks, but the systemd service (running as userfilebeatorrootwith a restrictedUser=) fails. - Newly rotated files are readable but the active log is not, or vice versa.
Common Root Causes
- The Filebeat process user lacks read on the file. The service runs as user
filebeat, but the log is mode0600owned byappuser. - No execute (traverse) bit on a parent directory. Reading
/var/log/app/app.logrequiresxon/var,/var/log, and/var/log/app. - SELinux or AppArmor denies access. On RHEL-family hosts, Filebeat runs confined and cannot read files outside
var_log_tcontexts. - Restrictive umask on the log writer. The application creates logs
0600, excluding group/other reads. - Container volume ownership mismatch. The UID inside the Filebeat container differs from the UID that owns the mounted host logs.
Diagnostic Workflow
First confirm the exact identity Filebeat runs as, then test readability as that identity.
systemctl show filebeat -p User -p Group
sudo -u filebeat cat /var/log/app/app.log | head # reproduce the denial as the real user
namei -l /var/log/app/app.log # show perms on every path component
Validate the config and inputs without touching the pipeline:
# /etc/filebeat/filebeat.yml (excerpt under test)
filebeat.inputs:
- type: filestream
id: app-logs
paths:
- /var/log/app/*.log
filebeat test config -c /etc/filebeat/filebeat.yml # YAML + schema validity
filebeat -e -c /etc/filebeat/filebeat.yml # run in foreground, watch harvester errors live
Check SELinux denials if the file perms look correct:
sudo ausearch -m avc -ts recent | grep filebeat
getenforce
ls -Z /var/log/app/app.log
Example Root Cause Analysis
A team shipped an app that wrote /var/log/payments/txn.log with mode 0600, owner payments:payments. Filebeat ran as User=filebeat. namei -l showed the file line as -rw------- payments payments txn.log — no read bit for group or other, and filebeat was not in the payments group. Everything upstream was fine; the harvester simply never opened the file.
The fix was to add a supplementary group read grant rather than loosen the file to world-readable (payment logs are sensitive):
sudo usermod -aG payments filebeat
sudo chmod 0640 /var/log/payments/txn.log # group can read
sudo systemctl restart filebeat
After restart, sudo -u filebeat cat succeeded, the harvester started, and the backlog flushed within seconds.
Prevention Best Practices
- Add the
filebeatuser to the log owner’s group and set logs to0640instead of making them world-readable. - Ensure every parent directory in the log path has the
x(traverse) bit for the Filebeat user or group. - On SELinux hosts, keep logs in
var_log_t-labeled directories, or add a targeted policy — never blanket-disable SELinux. - In containers, match the container UID/GID to the host log owner, or run Filebeat with a
user:that has read access to the mounted volume. - Set the log writer’s umask so files land as
0640, avoiding the0600trap on new files.
Quick Command Reference
systemctl show filebeat -p User -p Group # confirm run-as identity
namei -l /var/log/app/app.log # perms on each path component
sudo -u filebeat cat /var/log/app/app.log # reproduce denial as Filebeat's user
sudo usermod -aG appgroup filebeat # grant group access
sudo chmod 0640 /var/log/app/app.log # allow group read
sudo ausearch -m avc -ts recent | grep filebeat # check SELinux denials
filebeat test config # validate config
filebeat -e # foreground run to watch harvester errors
Conclusion
Harvester could not be started ... permission denied is almost always a plain filesystem-access problem, not a Filebeat bug. Reproduce the denial as the exact user Filebeat runs as, walk the full path with namei -l, and grant the minimum access needed — a group read bit is safer than world-readable logs. On RHEL hosts, always rule out SELinux before touching Unix permissions. Once the process user can open() the file, the harvester starts on the next scan and ships the backlog automatically.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.