RHEL 7 and 8

syslog-ng 3.19 and 3.31

 

We have always set permissions on directories that we want the Splunk universal forwarder to be able to read as root:splunk 640, but now security doesn't like this and wants everything under /var/log to always be root:root except for some specific exceptions.  We had tried to solve this with an ACL in the past, however, syslog-ng always seems to clobber the ACL, even when it's the default ACL on the folder.  Is this a known issue, is there a way to get syslog-ng to play nice with ACLs.

 

Thanks,

-Mark                                        

 

Mark Faine

System Administrator

SAIC/NICS

215 Wynn Dr. 5065

Huntsville, AL 35805

256-961-1295 (Desk)

256-617-4861 (Work Cell)