一开始是用chown / chmod进行修改的,但是一天后就恢复原来 的样子
发现是logrotate这个程序每天对日志进行转储的时候会修改掉,查看配置文件
/var/log/messages {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload > /dev/null
endscript
}发现有个 create 640 root root 语句很像。就修改为create 770 root logging。
然后用命令logrotate -vf /etc/logrotate.d/syslog 进行测试的时候发现还是原来的样子。
后来把
sharedscripts postrotate /etc/init.d/syslog reload > /dev/null endscript
这几名注释掉就可以了,断定是syslog 程序重新加载配置文件做的修改,查看相关进程
可以看到/sbin/syslog-ng这个程序,说明SUSE下是使用这个程序来进行日志管理的。
找到它的配置文件/etc/syslog-ng/syslog-ng.conf 进行分析。里面有这么一句:
#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); group(1001); stats(3600); };查看到可以设置相关的选项。详细说明如下:
OPTIONS
You can specify several global options to syslog-ng in the options statement:
options { opt1; opt2; ... };
Where an option can be any of the following:
chain_hostnames(yes|no)
Enable or disable the chained hostname format.
long_hostnames(yes|no)
This is a deprecated alias for chain_hostnames().
keep_hostname(yes|no)
Specifies whether to trust hostname as it is included in the log message. If keep_hostname is yes and there is a hostname
in the message it is not touched, otherwise it is always rewritten based on the information where the message was received
from.
use_dns(yes|no)
Enable or disable DNS usage. syslog-ng blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To
prevent DoS, protect your syslog-ng network endpoint with firewall rules, and make sure that all hosts, which may get to
syslog-ng is resolvable.
use_fqdn(yes|no)
Add Fully Qualified Domain Name instead of short hostname.
check_hostname(yes|no)
Enable or disable whether the hostname contains valid characters.
bad_hostname(regex)
A regexp which matches hostnames which should not be taken as such.
dns_cache(yes|no)
Enable or disable DNS cache usage.
dns_cache_expire(n)
Number of seconds while a successful lookup is cached.
dns_cache_expire_failed(n)
Number of seconds while a failed lookup is cached.
dns_cache_size(n)
Number of hostnames in the DNS cache.
create_dirs(yes|no)
Enable or disable directory creation for destination files.
dir_owner(uid)
User id.
dir_group(gid)
Group id.
dir_perm(perm)
Permission value (octal mask).
owner(uid)
User id for created files.
group(gid)
Group id for created files.
perm(perm)
Permission value for created files.
gc_busy_threshold(n)
Sets the threshold value for the garbage collector, when syslog-ng is busy. GC phase starts when the number of allocated
objects reach this number. Default: 3000.
gc_idle_threshold(n)
Sets the threshold value for the garbage collector, when syslog-ng is idle. GC phase starts when the number of allocated
objects reach this number. Default: 100.
log_fifo_size(n)
The number of lines fitting to the output queue. An output queue is present for all destinations.
log_msg_size(n)
Maximum length of message in bytes (NOTE: some syslogd implementations have a fixed limit of 1024 characters).
mark(n)
The number of seconds between two MARK lines. NOTE: not implemented yet.
stats(n)
The number of seconds between two STATS messages.
sync(n)
The number of lines buffered before written to file (can be overridden locally).
time_reap(n)
The time to wait before an idle destination file is closed.
time_reopen(n)
The time to wait before a died connection is reestablished.
use_time_recvd(yes|no)
This variable is used only for macro expansion where the meaning of the time specific macros depend on this setting, how-
ever as there are separate macros for referring to the received timestamp (R_ macros) and the log message timestamp (S_),
so using this value is not recommended.可以看到里面的uid/gid/perm这三个选项正是我们要的。
总结:
1、修改配置文件/etc/syslog-ng/syslog-ng.conf
把
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
修改为
options { long_hostnames(off); sync(0); perm(0640); group(1001); stats(3600); };
说明:在groupid为组logging:!:1001: 对应的ID号
2、修改配置文件 /etc/logrotate.d/syslog
把/var/log/messages 中的行
create 640 root root
修改为
create 640 root sa_logging
3、重启后结果如下图所示:
