Those options are also available as local, per-file sources. 

But you are right, this might be a misfeature (or we could also call it a bug) that should be worth changing. But we need to do that careful as this has been the syslog-ng behaviour for over a decade :)

btw, we just had a similar github issue (https://github.com/balabit/syslog-ng/issues/1771) just yesterday.

--
Bazsi

On Tue, Nov 21, 2017 at 12:13 PM, Jim Segrave <jes@j-e-s.net> wrote:
We are running syslog-ng on a Centos-7 server:

root@usenetmonitor-fe01.am4:[~]# /usr/sbin/syslog-ng -V
syslog-ng 3 (3.12.1)
Installer-Version: 3.12.1
Revision:
Compile-Date: Nov  3 2017 15:15:50
Module-Directory: //usr/lib64/syslog-ng
Module-Path: //usr/lib64/syslog-ng
Available-Modules: afuser,cef,linux-kmsg-format,sdjournal,confgen,map-value-pairs,json-plugin,affile,kvformat,tfgetent,date,afstomp,csvparser,add-contextual-data,cryptofuncs,system-source,syslogformat,afsocket,afprog,pseudofile,afamqp,snmptrapd-parser,dbparser,xml,stardate,tags-parser,graphite,basicfuncs,disk-buffer
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

When we tried to use syslog-ng to treat a file as a source, it changes the owner and group to root and the permissions to 0664, which is undesireable, as the file must remain writeable by the apache server.

This is the source definition in syslog.conf when we were testing:

source s_dev {
file("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log" flags(no-parse) program-override("custom-test"));
};

with syslog-ng stopped, here's the status of the file:
root@usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log
-rw-r----- 1 apache apache 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log

As soon as syslog-ng is started it becomes

root@usenetmonitor-fe01:[~]# ls -lt /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log
-rw-r--r-- 1 root   root 0 Nov 21 11:00 /var/log/usenetmonitor/soc/cron-logs/Usenetmonitor-Warnings.log

Checking with strace, I find

16258 open("/var/log/usenetmonitor/dev/cron-logs/Usenetmonitor-Warnings.log", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 24

Followed shortly therafter by:

16258 fchown(24, 0, -1)                 = 0
16258 fchown(24, -1, 0)                 = 0
16258 fchmod(24, 0664)                  = 0

(and no, fd 24 hasn't been closed and re-opened)

It's unclear to me why syslog-ng would have any reason to change ownership or permissions of file sources. As there are no options for file sources to set what it would change it to, it seems highly undesireable that this happens.

The only workaround is to set global options to disable changing ownership or permissions:

    perm(-1);
    owner(-1);
    group(-1);

and then specify those options for every destination file which is a maintenance burden

Is there some other way to stop syslog-ng from latering files used as sources?

--
Jim Segrave
jes@j-e-s.net

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq