Td-Agent allow root permissions (not working)

[catalinad90]

Td-Agent version: td-agent 1.7.4 (installed from deb http://packages.treasuredata.com/3/ubuntu/bionic/ bionic contrib)
OS: Ubuntu 18.04

I want to configure the td-agent from /etc/default/td-agent to have root priviliges when reading from app logs (for instance Mongodb log file comes with default permissions -rw-------), but doesn't seem to work if I add the following in the default td-agent file:
TD_AGENT_OPTIONS="user root" or TD_AGENT_OPTIONS="group adm"

The service won't start because of permission errors:
/opt/td-agent/embedded/lib/ruby/gems/2.4.0/gems/fluentd-1.7.4/lib/fluent/supervisor.rb:372:in `initialize': Permission denied @ rb_sysopen - /var/log/td-agent/td-agent.log (Errno::EACCES)

If I run the td-agent binary with the below flag it runs fine.

What am I missing because I don't want to be sure if each log file has read permissions, some of them get lost once the log rotation is being done the next day.

Thanks!
Catalina

[vwbusguy]

@catalinad90 - If it's helpful, I use facls instead. setfacl -m 'u:td-agent:r' /some/log/file.log. That way you can grant access to the file to the td-agent user without fluent needing to run as root and without needing to mess with normal file mode permissions/ownership.

[vwbusguy]

If you are seeing the log permissions go away after log rotate, you can use setfacl -d ... on the directory of the log so that the new file will inherit the facl after logrotation.

[catalinad90]

Thank you @vwbusguy , I will try your advice. :)

[repeatedly]

Ubuntu 18.04 is systemd based system, so you can't use some init.d based features.
Overwriting td-agent's systemd setting is also one approach: https://github.com/treasure-data/omnibus-td-agent/blob/master/templates/etc/systemd/td-agent.service.erb#L8