16

For some tests I'm doing, I'm required to remotely tail the apache access log via ssh. I can successfully do that only when the permissions are accurately set for the log. I've noticed that once a week, a new apache access.log is created and the permissions are reset.

My current work around is editing the permissions on the log once a week:

chmod 644 /var/log/apache2/access.log

I was wondering if there was a more permanent solution such as extending the time that the old log remains or automatically setting permissions when the new log is created.

If it matters, I'm running the server on Ubuntu 11.10

Isaac Freeman
  • 308
  • 2
  • 16
Parth
  • 1,226
  • 7
  • 28
  • 49

2 Answers2

29

Edit your logrotate.conf file to set the correct owner/permissions for the apache.log file. Something like this:

/var/log/apache2/access.log {
    weekly
    create 0644 root utmp
    rotate 1
}

(Edit: Changed mode from 0744 to 0644. No need to set the execute bit.)

Isaac Freeman
  • 308
  • 2
  • 16
Kirby Todd
  • 11,254
  • 3
  • 32
  • 60
  • 9
    In some cases the configuration may be in `/etc/logrotate.d/apache2` instead. – jevon Feb 13 '13 at 04:29
  • 4
    However if you edit `/etc/logrotate.d/apache2`, then your changes will be lost the next time you upgrade Apache. You should be modifying `logrotate.conf` directly instead, after the `include` (so your configuration overrides). – jevon Apr 02 '13 at 00:17
  • @jevon your proposition generates an error: `duplicate log entry for /var/log/apache2/access.log` – GergelyPolonkai Aug 10 '15 at 07:27
0

Maybe another application, like logrotate, is altering the logs? (Sounds like it, as it only happens weekly) I don't think Apache itself is responsible for the permissions chance.

A good place to start is check /etc/cron./* to see if any cron jobs are touching the access.log

Good luck!

Wesley
  • 693
  • 4
  • 9
  • 1
    I think he **wants** to set the `access.log` to `777` so that anyone can view the log. Well probably `744` is better so that others can't modify the log. – hobbes3 Mar 05 '12 at 14:30
  • 1
    No, it's better to find what program modifies the log's permissions, instead of blindly setting permissions. If it is logrotate, then it might break because it doesn't have enough permissions. – Wesley Mar 05 '12 at 14:43