For a special application I built a simple monitoring check which reads /var/log/mail.log (and the rotated /var/log/mail.log.1) and counts the number of e-mails sent by that application.
The check itself is executed through NRPE which runs as "nagios" user. Therefore the nagios user needs to be able to read /var/log/mail.log. Easy:
# chmod 644 /var/log/mail.log
# chmod 644 /var/log/mail.log.1
I even adapted the logrotate config file to ensure the rotated log file is also readable after a log rotation (using the "create" option):
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
{
weekly
missingok
notifempty
compress
delaycompress
create 644 root adm
sharedscripts
postrotate
invoke-rc.d syslog-ng reload > /dev/null
endscript
}
I enabled the monitoring check and it worked. But just a couple of minutes later the check returned critical because the nagios user wasn't able to read the log file anymore. I verified and indeed, the permissions of /var/log/mail.log were reset:
$ ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log
It turns out that syslog-ng (which runs on this application server) resets the permissions automatically to the ones defined in the syslog-ng config. By default (here on a Debian Wheezy installation) this means:
# grep 640 /etc/syslog-ng/syslog-ng.conf
owner("root"); group("adm"); perm(0640); stats_freq(0);
This ownership and permission setting is part of syslog-ng's global configuration. Of course I could just set the permissions to 0644 here. But his means that all log files would be readable by all the users on this application server. Some logs contain sensitive information so I wouldn't like to just grant read access to everyone.
Instead the permissions can also be set in syslog-ng's "destination" option. For /var/log/mail.log this is the default setting:
# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log"); };
For this destination d_mail I want to create special file permissions:
# grep "mail.log" /etc/syslog-ng/syslog-ng.conf
destination d_mail { file("/var/log/mail.log" perm(0644)); };
Followed by a syslog-ng restart:
# /etc/init.d/syslog-ng restart
[ ok ] Stopping system logging: syslog-ng.
[ ok ] Starting system logging: syslog-ng.
Checking the log's file permissions again:
# ll /var/log/mail.log
-rw-r----- 1 root adm 108437 Jun 27 10:00 /var/log/mail.log
Hmm... the permissions are still the same?! Oh, wait... maybe syslog-ng needs to actually receive something from the mail log facility in order to reset the permissions? Let's try that:
# echo "testmail" | mailx -s test root
Checking again:
# ll /var/log/mail.log
-rw-r--r-- 1 root adm 113261 Jun 27 10:55 /var/log/mail.log
Yep, that's it!
pingu from wrote on Mar 6th, 2023:
Thank you so much! It helped me out!
cm-shg from DE-NRW wrote on Nov 13th, 2020:
very helpful
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder