18

I've noticed that the mail logs which are being created in /var/log are being created and owned by root (user and group). I've written a Nagios check which monitors the log and in order to allow the Nagios user to access it, I gave the other group read permissions, that is:

chmod o+r /var/log/maillog

Now when I think about it, this is only one log file, when the log file will get filled the log rotate mechanism will rename this file and open a new one, but the new maillog file will not have the read write which I allowed.

So my question is, how can I make sure that the log rotate mechanism will create all the new mailllog files with the right permissions for the Nagios user?

Thanks in advance

Itai Ganot
  • 10,424
  • 27
  • 88
  • 143

1 Answers1

26

logrotate has the create option: 

create mode owner group

Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the log file just rotated). mode specifies the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who will own the log file, and group specifies the group the log file will belong to. Any of the log file attributes may be omitted, in which case those attributes for the new file will use the same values as the original log file for the omitted attributes. This option can be disabled using the nocreate option.

More info with man logrotate.

Use it like so: 

/var/log/maillog {
....
        create 664 user group
....
}

either in /etc/logrotate.conf or a separate file in /etc/logrotate.d and check if no other file already overrides this. How this is configured depends on your OS (e.g. on Ubuntu, this is handled in the rsyslog configuration).

Sven
  • 97,248
  • 13
  • 177
  • 225
  • How can I configure that only `/var/log/maillog` future log files will be created with the desired user permissions without changing any of the default settings which are already applied to the maillog? – Itai Ganot Dec 29 '14 at 13:27
  • See my edit and read `man logrotate` (and look into `/etc/logrotate.conf` and `/etc/logrotate.d` for lots of examples). – Sven Dec 29 '14 at 13:35
  • 2
    @ItaiGanot You should also fix your syslog config so that it creates the file with the proper permission, instead of your doing an initial chmod. – Jenny D Dec 29 '14 at 13:53
  • @JennyD, Thanks, that means I should remove the `/var/log/maillog` line from `/etc/logrotate.d/syslog` so the settings in `/etc/logrotate.conf` will take place? – Itai Ganot Dec 29 '14 at 13:56
  • 2
    @ItaiGanot No! It means that you should find out what syslog program you're using (probably either `syslog-ng` or `rsyslog`) and change its configuration. This is necessary because when your system is rebooted, or your syslog program is restarted for some other reason, it may re-create the file with the wrong permission. – Jenny D Dec 29 '14 at 14:36
  • But what are the changes that needs to be done? – Itai Ganot Dec 29 '14 at 15:06
  • @Sven, so as it seems your answer is partial, according to JennyD, doing what you proposed will not be enough, would you like to edit your answer and make it complete? thanks – Itai Ganot Dec 29 '14 at 15:09
  • Itai, you didn't specify what OS you are on or what syslog daemon you are using. Also, your question was related to `logrotate` and is sufficiently answered - how to configure your local syslog daemon is actually a new question. Quite frankly, this is something you can lookup yourself though - a short google yielded http://www.rsyslog.com/doc/rsconf1_filecreatemode.html as an example. – Sven Dec 29 '14 at 15:18
  • It's not even clear that on *your* system the mailer logs through syslog, as you also didn't specify what mailer you are using. – Sven Dec 29 '14 at 15:21
  • I understand, I'll ask a new question, thanks for your help again. – Itai Ganot Dec 29 '14 at 16:37