Unable to open file /var/log/nginx/access.log: open /var/log/nginx/access.log: permission denied

[ghost]

whuy i recieve fail state in start service?
$ systemctl start prometheus-nginxlog-exporter

The log contains the following errors ($ journalctl -f)
...
Oct 11 01:36:18 xxxx.fvds.ru prometheus-nginxlog-exporter[2058796]: 2023-10-11T01:36:18.887+0300 fatal prometheus-nginxlog-exporter/main.go:213 Unable to open file /var/log/nginx/access.log: open /var/log/nginx/access.log: permission denied

....
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: prometheus-nginxlog-exporter.service: Main process exited, code=exited, status=1/FAILURE
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: prometheus-nginxlog-exporter.service: Failed with result 'exit-code'.
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: prometheus-nginxlog-exporter.service: Scheduled restart job, restart counter is at 5.
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: Stopped NGINX metrics exporter for Prometheus.
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: prometheus-nginxlog-exporter.service: Start request repeated too quickly.
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: prometheus-nginxlog-exporter.service: Failed with result 'exit-code'.
Oct 11 01:36:19 xxxx.fvds.ru systemd[1]: Failed to start NGINX metrics exporter for Prometheus.

Help me please!

[martin-helmich]

open /var/log/nginx/access.log: permission denied

This looks like a straightforward permissions error; which user owns the access log file (and what are the file's permissions), and under which user does the exporter run? Does it work when you're removing the CapabilityBoundingSet directive from the systemd unit?

[dirkvranckaert]

@martin-helmich I just ran into the same issue. The prometheus-nginxlog-exporter service was running fine for it's first 24 hours, all of the sudden Nginx rolled the files and created a new main log file and the prometheus-nginxlog-exporter stopped because the file could not be accessed, permissions denied...

I've tried your solution of removing CapabilityBoundingSet and that works perfect! Thanks!
Note: When doing so you may not forget to:

• Reload the deamon: systemctl daemon-reload
• Restart the service: sudo systemctl restart prometheus-nginxlog-exporter

[yatesliang]

If you use k8s to deploy this exporter, one possible solution is to run the exporter container as the nginx log files owner by applying security context:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

[HectorB-2020]

solution of removing CapabilityBoundingSet and that works perfect!

@dirkvranckaert, I also end up with removing this directive.

removing the CapabilityBoundingSet directive from the systemd unit

@martin-helmich, can you share original reason why this directive was added to the systemd unit? Has anybody confirmed this exporter working with this directory left in the systemd unit?

[jsabater]

I had the same issue on Debian 12 Bookworm. The file /lib/systemd/system/prometheus-nginxlog-exporter.service runs the exporter as root user but has the CapabilityBoundingSet= directive, which removes all capabilities.

Personally, I added the existing user prometheus (node-exporter was already running on that LXC) to the adm group (since all my logs inside /var/log/nginx/ are owned by the nginx user and the adm group) and modified the file /lib/systemd/system/prometheus-nginxlog-exporter.service as follows:

[Service]
User=prometheus
# CapabilityBoundingSet=

I think this should be the default behaviour of the Debian package provided, hence I am posting this here (which I previously posted on the discussions section)