rsyslog not logging into /var/log/mail.log? Check permissions!

Written by - 1 comments

Published on - Listed in Linux Mail


For a week or so I wondered why on one SMTP server (Ubuntu 16.04 Xenial with Rsyslogd and Postfix) rsyslog never logged into /var/log/mail.log, although this is clearly defined in the rsyslog config file:

 # cat /etc/rsyslog.d/50-default.conf | grep mail
mail.*                -/var/log/mail.log
# Logging for the mail system.  Split it up so that
#mail.info            -/var/log/mail.info
#mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err
#    news.none;mail.none    -/var/log/debug
#    mail,news.none        -/var/log/messages
#daemon,mail.*;\
daemon.*;mail.*;\

Instead all log entries from the mail facility were logged into /var/log/syslog.

Yet on another SMTP server the mail facility log entries were correctly logged into /var/log/mail.log. Strangely enough, both systems were set up the same way.

Today I got some time for investigation and found out, that the permissions of the folder /var/log was different:

On SMTP01 (where mail logging happened into /var/log/syslog):

root@smtp01:/var# stat log
  File: 'log'
  Size: 4096          Blocks: 8          IO Block: 4096   directory
Device: fc00h/64512d    Inode: 1005        Links: 11
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (  108/  syslog)
Access: 2016-08-22 08:29:56.243493060 +0200
Modify: 2016-08-22 08:29:55.747484499 +0200
Change: 2016-08-22 08:29:55.747484499 +0200
 Birth: -

On SMTP01 (where mail logging happened correctly into /var/log/mail.log):

 root@smtp02:/var# stat log
  File: 'log'
  Size: 4096          Blocks: 8          IO Block: 4096   directory
Device: fc01h/64513d    Inode: 1005        Links: 11
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (  108/  syslog)
Access: 2016-08-22 08:25:37.991669507 +0200
Modify: 2016-08-22 06:25:04.620044011 +0200
Change: 2016-08-22 06:25:04.620044011 +0200
 Birth: -

On SMTP01 the permissions were 0755, on SMTP02 0775. Big difference!

After I set the same permissions on smtp01 and restarting rsyslogd, logging of the mail facility started into /var/log/mail.log.

However I still don't know where this permission diff came from. In no logfile (and I have command auditing active) I was able to find a command who'd have edited the permissions.


Add a comment

Show form to leave a comment

Comments (newest first)

Jorge Gustavo Rocha from wrote on Nov 21st, 2016:

Hi Claudio,
The same happened to me, on a Ubuntu 16.04 deployed on the cloud (scalaway). On servers deployed from the Ubuntu distribution that never happened before. Thanks for your tip.
Regards,
Gustavo


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder