I have installed nxlog
to send my logs to a graylog server. It works fine, but I have a denied permission on the logs of my HIDS Ossec.
My process nxlog
(launched by collector-sidecar) run as root :
# ps -ef | grep collector
root 1869 1 0 13:23 ? 00:00:03 /usr/bin/graylog-collector-sidecar
root 1905 1869 0 13:23 ? 00:00:29 /usr/bin/nxlog -f -c /etc/graylog/collector-sidecar/generated/nxlog.conf
In the nxlog.conf
, I have :
User root
Group adm
The rights on the OSSEC logs are as follow (ossec:ossec
for /var/ossec/logs
):
# namei -l /var/ossec/logs/active-responses.log
f: /var/ossec/logs/active-responses.log
drwxr-xr-x root root /
drwxr-xr-x root root var
dr-xr-x--- root ossec ossec
drwxr-x--- ossec ossec logs
-rw-r--r-- root ossec active-responses.log
So, the user ossec
and the members of the group OSSEC
can read this file (I think).
I added the root to the group ossec :
# id
uid=0(root) gid=0(root) groupes=0(root),1005(ossec)
I tested with a reboot of my server but I read in the logs of nxlog :
ERROR apr_stat failed on file /var/ossec/logs/active-responses.log;Permission denied
When I chown to root
the directory /var/ossec/logs
to have :
# namei -l /var/ossec/logs/active-responses.log
f: /var/ossec/logs/active-responses.log
drwxr-xr-x root root /
drwxr-xr-x root root var
dr-xr-x--- root ossec ossec
drwxr-x--- root ossec logs
-rw-r--r-- root ossec active-responses.log
So, why when I put root
to the ossec
group, my nxlog
process can't read this file ?