open umask settings or make them configurable
Log forwarders that run as less than root can't read log files, as they have a umask of 0127 that is hardcoded in util-daemon. That means modifying an upstart script to add a umask, for instance, is ignored.
I think it's "just" a matter of reading in a umask from the suricata.yaml config. Yes, there are security concerns with allowing world-readable; there are also security concerns with log forwarders running as root.