• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 855
  • Last Modified:

RHEL how to access /var/log files

We have RHEL servers and root has access to /var/log
I want to give access to USER_A
The point is that these in "circular" mode so when theyget recreated , USER_A doesnt have access to these files any more.

How can i correct this issue ?  Any input would be appreciated.
  • 3
  • 2
2 Solutions
The behavior of the logfiles permissions is controlled by logrotate, it is NOT governed by the syslog service as you might otherwise be inclined to think. Syslog uses whatever permissions already happen to be set on the logfile, it's up to you (or, in this case, up to logrotate) to actually create the file with the appropriate permissions.

Logrotate is configured by the files in /etc/logrotate.d/, or if that doesn't exist, by the config file /etc/logrotate.conf.

This configuration is where you tell logrotate how to behave for different log files - what the permissions for the new logfile should be, how often it is rotated, what happens when the file is empty, whether to compress the logfile when rotating etc...

Read the man page for logrotate:


And look at some of the existing conf files on your system to get an idea for how your logs are being rotated.

In my case, I have a custom application running on my server which saves to the logfile "/var/log/myapp.log". I want that log to rotate, and that log file to be readable by users other than root - very similar situation as yours.

So, I have a file /etc/logrotate.d/myapp, which contains the following:

/var/log/myapp.log {
    create 0644 root root

Open in new window

This means rotate the log weekly, don't rotate if the logfile is empty, it's not an error condition if the logfile is missing, and after rotating, create the file with 0644 permissions (u=rw,g=r,o=r) and with ownership set to "root:root".

Note that this doesn't affect already existing files in the /var/log directory, you'll have to chmod those files yourself manually.
This a classic task for "sudo" and "sudoedit".

sudo should be installed by default on your system, so change the sudo configuration like this:



An editor (probably vim) will open and load the file /etc/sudoers.


USER_A   ALL = NOPASSWD: sudoedit /var/log/myfile.log

Save the file as usual.

USER_A can now issue

sudoedit /var/log/myfile.log

to edit (vim) the log file with root privileges.

To allow editing all files under /var/log you could add this line instead of the above one:

USER_A   ALL = NOPASSWD: sudoedit /var/log/*

c_hocklandAuthor Commented:
ok , just one variation...they only need read access.
and instead of USER_A it has to be Group_A

so what changes ?

many thanks.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Specify an existing Unix group like this:

%Group_A   ALL = NOPASSWD: sudoedit /var/log/*

Please note the percent sign!

Granting read access only is not possible with sudoedit, unfortunately.

Do your users need an editor to access the file?
Couldn't "more" (or "less") do the trick?

%Group_A   ALL = NOPASSWD: /usr/bin/less /var/log/*

This solution implies that the respective user must issue

sudo less /var/log/myfile.log

to display the file's contents
c_hocklandAuthor Commented:
my Boss doesnt approve of having the users issuing sudo

is there another way to do it l maybe with logrotate or follow another approach to avoid sudo ?
Do you use "logrotate" to rotate the files in question?

If so please reread Frosty555's comment above.

The clue is the "create" statement, which defines user/group and permissions of the new original logfile after rotation. You don't have to specify user and group, if it's just for read access specify "create 0644" similar to what's been suggested by Frosty555.

If you don't use logrotate, what do you mean with "circular" mode?
Is there an application which would cycle the logs?

If so, and if you can't change that application's behaviour you could, as a last resort, run a cron job regularly to add "read" permission for "others" to the files in /var/log.

Example crontab entry to allow read access for "others" to all files in /var/log every full hour:

* 0 * * * /usr/bin/chmod o+r /var/log/*

Add the above line to root's crontab by means of "crontab -e"
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now