Promtail: "open /var/log/boot.log: permission denied"

I’m having an issue with some sort of permissions. In Grafana and looking at the logs, I’m always getting an error on the log under “systemd-journal” and it states: “open /var/log/boot.log: permission denied” for several logs that are owned by root. Now I’ve read places that these logs are owned by root and give many people headaches, but specifically to Promtail, I’m not sure what I should do? Do I add Promtail to a specific group or something? Or maybe I’m missing something else?

Did you try running promtail as root? for me it fixed it.

Hmm, excuse my ignorance, but how would I do that, or tell if I’m doing it already? Not sure if it matters, but whenever I install new programs and such, I don’t use the root account (because of bad practices), so my main account has the “sudo” privileges. And I do it that way.

EDIT: Actually I got it to work. Had to manually go into the folder as root, and fire to start the program, and just like @dror1212 stated the errors went away. However, my question is now, is how can I start promtail as root as a service so it starts with root when the computer boots up?

EDIT 2: Well, a little more research and I found my solution: I edited the .service under
/etc/systemd/system for promtail, and changed the user from the promtail user to root, and it worked like a charm. Solved my own issue. I’m sure this info will come in handy for others if they run into the same problem.

I don’t think it is good practice to run promtail as root. It is better to have a promtail usr and add that user to the systemd-journal group:

$ sudo adduser --system promtail
$ cd /var
$ var/ sudo setfacl -R -m u:promtail:rX log
$ sudo chown promtail:promtail /tmp/positions.yaml
$ sudo usermod -a -G systemd-journal promtail
1 Like

I have to agree with @hubba here, running any application that doesn’t need true root access should not be done. There are better ways to do it via permissions, group associations, and ACLs.

For those on SUSE, this was my fix (assuming you installed Loki and Promtail via Zypper) with the help of hubba:

sudo zypper in acl
sudo useradd -c "Promtail System User" -d "/etc/loki" -M -r promtail -s "/sbin/nologin"
cd /var
sudo setfacl -R -m u:promtail:rX log
sudo usermod -a -G systemd-journal promtail

Then I just needed to make sure the SystemD service file was updated to run as promtail instead of loki.

1 Like

There are some additional details on hardening of the promtail service here: Getting Logs Into Loki With Promtail