Run Optionsedit

Packetbeat can drop privileges after creating the sniffing socket. Root access is required for opening the socket, but everything else requires no privileges. Therefore, it is recommended that you have Packetbeat switch users after the initialization phase. The uid and gid settings set the User Id and Group Id under which Packetbeat runs.

On Linux, Setuid doesn’t change the uid of all threads, so the Go garbage collector will continue to run as root. Also note that process monitoring only works when running as root.

Example configuration for the runoptions section of the packetbeat.yml config file:


The runoptions configuration is supported on Linux only.