19 May
2021
19 May
'21
7:16 a.m.
Hi Mark, On Tue, May 18, 2021 at 04:57:39PM +0000, Faine, Mark R. (MSFC-IS40)[NICS] wrote:
We have always set permissions on directories that we want the Splunk universal forwarder to be able to read as root:splunk 640, but now security doesn't like this and wants everything under /var/log to always be root:root except for some specific exceptions. We had tried to solve this with an ACL in the past, however, syslog-ng always seems to clobber the ACL, even when it's the default ACL on the folder. Is this a known issue, is there a way to get syslog-ng to play nice with ACLs.
Did you consider using `hook-commands()` to set the ACL on startup ?