一开始是用chown / chmod进行修改的,但是一天后就恢复原来 的样子
发现是logrotate这个程序每天对日志进行转储的时候会修改掉,查看配置文件
/var/log/messages { compress dateext maxage 365 rotate 99 missingok notifempty size +4096k create 640 root root sharedscripts postrotate /etc/init.d/syslog reload > /dev/null endscript}
发现有个 create 640 root root 语句很像。就修改为create 770 root logging。
然后用命令logrotate -vf /etc/logrotate.d/syslog 进行测试的时候发现还是原来的样子。
后来把
sharedscripts postrotate /etc/init.d/syslog reload > /dev/null endscript
这几名注释掉就可以了,断定是syslog 程序重新加载配置文件做的修改,查看相关进程
可以看到/sbin/syslog-ng这个程序,说明SUSE下是使用这个程序来进行日志管理的。
找到它的配置文件/etc/syslog-ng/syslog-ng.conf 进行分析。里面有这么一句:
## Global options.#options { long_hostnames(off); sync(0); perm(0640); group(1001); stats(3600); };
查看到可以设置相关的选项。详细说明如下:
OPTIONS You can specify several global options to syslog-ng in the options statement: options { opt1; opt2; ... }; Where an option can be any of the following: chain_hostnames(yes|no) Enable or disable the chained hostname format. long_hostnames(yes|no) This is a deprecated alias for chain_hostnames(). keep_hostname(yes|no) Specifies whether to trust hostname as it is included in the log message. If keep_hostname is yes and there is a hostname in the message it is not touched, otherwise it is always rewritten based on the information where the message was received from. use_dns(yes|no) Enable or disable DNS usage. syslog-ng blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your syslog-ng network endpoint with firewall rules, and make sure that all hosts, which may get to syslog-ng is resolvable. use_fqdn(yes|no) Add Fully Qualified Domain Name instead of short hostname. check_hostname(yes|no) Enable or disable whether the hostname contains valid characters. bad_hostname(regex) A regexp which matches hostnames which should not be taken as such. dns_cache(yes|no) Enable or disable DNS cache usage. dns_cache_expire(n) Number of seconds while a successful lookup is cached. dns_cache_expire_failed(n) Number of seconds while a failed lookup is cached. dns_cache_size(n) Number of hostnames in the DNS cache. create_dirs(yes|no) Enable or disable directory creation for destination files. dir_owner(uid) User id. dir_group(gid) Group id. dir_perm(perm) Permission value (octal mask). owner(uid) User id for created files. group(gid) Group id for created files. perm(perm) Permission value for created files. gc_busy_threshold(n) Sets the threshold value for the garbage collector, when syslog-ng is busy. GC phase starts when the number of allocated objects reach this number. Default: 3000. gc_idle_threshold(n) Sets the threshold value for the garbage collector, when syslog-ng is idle. GC phase starts when the number of allocated objects reach this number. Default: 100. log_fifo_size(n) The number of lines fitting to the output queue. An output queue is present for all destinations. log_msg_size(n) Maximum length of message in bytes (NOTE: some syslogd implementations have a fixed limit of 1024 characters). mark(n) The number of seconds between two MARK lines. NOTE: not implemented yet. stats(n) The number of seconds between two STATS messages. sync(n) The number of lines buffered before written to file (can be overridden locally). time_reap(n) The time to wait before an idle destination file is closed. time_reopen(n) The time to wait before a died connection is reestablished. use_time_recvd(yes|no) This variable is used only for macro expansion where the meaning of the time specific macros depend on this setting, how- ever as there are separate macros for referring to the received timestamp (R_ macros) and the log message timestamp (S_), so using this value is not recommended.
可以看到里面的uid/gid/perm这三个选项正是我们要的。
总结:
1、修改配置文件/etc/syslog-ng/syslog-ng.conf
把
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
修改为
options { long_hostnames(off); sync(0); perm(0640); group(1001); stats(3600); };
说明:在groupid为组logging:!:1001: 对应的ID号
2、修改配置文件 /etc/logrotate.d/syslog
把/var/log/messages 中的行
create 640 root root
修改为
create 640 root sa_logging
3、重启后结果如下图所示: