Logstash documentation issue - Root user execution no longer supported in version 9.0+ #8952
Description
Description
During E2E UX testing for Amazon Security Lake integration (Release 4.14.0 - Alpha 1), we identified a critical issue with the Logstash installation documentation at:
https://documentation-dev.wazuh.com/v4.14.0-alpha1/integrations-guide/amazon-security-lake/index.html
Problem:
The current documentation instructs users to run Logstash with root privileges using sudo -E:
sudo systemctl stop logstash
sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exitHowever, Logstash 9.0 and later versions no longer support running as root user, as documented in the official Elastic breaking changes:
https://www.elastic.co/docs/release-notes/logstash/breaking-changes
This breaking change causes the documentation to provide instructions that will fail on current Logstash versions.
Impact:
- Users following the documentation cannot successfully test or run Logstash configuration
- The workflow for sending Wazuh alerts to Amazon Security Lake via Logstash is broken
- No alternative or workaround is provided in the documentation
Required Actions:
- Update the documentation to clearly indicate version-specific instructions
- Provide proper instructions for running Logstash as the logstash user for version 9.0 and later
- Maintain backward compatibility instructions for users still running Logstash versions prior to 9.0
- Document any necessary permission adjustments for certificates and configuration files
- Include proper systemd service configuration as the recommended approach
- Add troubleshooting section for permission-related issues