Setting file permissions for rotating logs (Linux)

The Datadog Agent runs under the dd-agent user and dd-agent group. This prevents the Datadog Agent from accessing the logs in /var/log as they are only accessible by root (or a sudo admin).

Setting permissions using ACLs

In order to allow read-only access for datadog-agent only, create ACLs and modify logrotate to persist the permissions changes.

Verifying ACLs are enabled on your system

ACLs needs to be enabled on your file system to set permissions using the methods outlined in this article. Verify ACLs are enabled by using thegetfacl and setfacl commands to set permissions for the datadog-agent user on a test directory, for example:

mkdir /var/log/test-dir
getfacl /var/log/test-dir/
setfacl -m u:dd-agent:rx /var/log/test-dir
getfacl /var/log/test-dir/

The permissions set for datadog-agent appears in the output of getfacl if ACLs are enabled.

Setting file permission

Granting dd-agent read and execute permissions on log directories

Once you have verified ACLs are enabled, grant read and execute permissions for the datadog-agent user on the appropriate directories for log collection. For example, to grant access to /var/log/apache , run:

setfacl -m u:dd-agent:rx /var/log/apache

Learn more about how to configure ACLs on linux

Setting permissions for log file rotation

Setting the permissions once will not persist for rotating logs, as logrotate does not re-apply the ACL setting. For a more permanent solution add a rule to logrotate to reset the ACL in a new file:

sudo touch /etc/logrotate.d/dd-agent_ACLs

Example file:

/var/log/apache/*.log {
 postrotate
 /usr/bin/setfacl -m g:dd-agent:rx /var/log/apache/access.log
 /usr/bin/setfacl -m g:dd-agent:rx /var/log/apache/error.log
 endscript
}

Check the ACL status of a file with:

getfacl /var/log/apache/access.log

Note: For PostgreSQL v10 and older, set the permission to 0700. For PostgreSQL v11, set either 0700 or 0750. Trying to start a server with a base data folder that has permissions different from 0700 or 0750 will result in a failure of the postmater process.

Note: The PostgreSQL logging directory cannot be located in the same directory as the base PostgreSQL installation.

Setting permissions when ACLs are not present

When ACLs are not present in a system, set your permissions based on group access.

For instance, if your MySQL service is logging to the following locations:

/var/log/mysql/mysql_error.log
/var/log/mysql/mysql-slow.log

Their permissions are associated with user ‘mysql’ and the group ‘mysql’ by default. This logging scheme denies access to the log file to any user not in the ‘mysql’ group. Typically you may see something like this:

$ ls -l /var/log | grep -i mysql
drwxr-x--- 2 mysql mysql 4096 Feb 20 06:25 mysql

The easiest path here is to give everyone read access to the file in the logrotate configuration:

/var/log/mysql/mysql_error.log /var/log/mysql/mysql-slow.log {

        daily
        rotate 7
        missingok
        create 644 mysql adm
        compress
}

Each common off-the-shelf application will follow a similar nomenclature. The advantage is that you avoid providing privileged access to an individual account and use a standardized practice. This keeps your audit rules in check.

Further Reading