rsyslog not logging into /var/log/mail.log? Check permissions!

Written by - 1 comments

Published on - Listed in Linux Mail


For a week or so I wondered why on one SMTP server (Ubuntu 16.04 Xenial with Rsyslogd and Postfix) rsyslog never logged into /var/log/mail.log, although this is clearly defined in the rsyslog config file:

 # cat /etc/rsyslog.d/50-default.conf | grep mail
mail.*                -/var/log/mail.log
# Logging for the mail system.  Split it up so that
#mail.info            -/var/log/mail.info
#mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err
#    news.none;mail.none    -/var/log/debug
#    mail,news.none        -/var/log/messages
#daemon,mail.*;\
daemon.*;mail.*;\

Instead all log entries from the mail facility were logged into /var/log/syslog.

Yet on another SMTP server the mail facility log entries were correctly logged into /var/log/mail.log. Strangely enough, both systems were set up the same way.

Today I got some time for investigation and found out, that the permissions of the folder /var/log was different:

On SMTP01 (where mail logging happened into /var/log/syslog):

root@smtp01:/var# stat log
  File: 'log'
  Size: 4096          Blocks: 8          IO Block: 4096   directory
Device: fc00h/64512d    Inode: 1005        Links: 11
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (  108/  syslog)
Access: 2016-08-22 08:29:56.243493060 +0200
Modify: 2016-08-22 08:29:55.747484499 +0200
Change: 2016-08-22 08:29:55.747484499 +0200
 Birth: -

On SMTP01 (where mail logging happened correctly into /var/log/mail.log):

 root@smtp02:/var# stat log
  File: 'log'
  Size: 4096          Blocks: 8          IO Block: 4096   directory
Device: fc01h/64513d    Inode: 1005        Links: 11
Access: (0775/drwxrwxr-x)  Uid: (    0/    root)   Gid: (  108/  syslog)
Access: 2016-08-22 08:25:37.991669507 +0200
Modify: 2016-08-22 06:25:04.620044011 +0200
Change: 2016-08-22 06:25:04.620044011 +0200
 Birth: -

On SMTP01 the permissions were 0755, on SMTP02 0775. Big difference!

After I set the same permissions on smtp01 and restarting rsyslogd, logging of the mail facility started into /var/log/mail.log.

However I still don't know where this permission diff came from. In no logfile (and I have command auditing active) I was able to find a command who'd have edited the permissions.


Add a comment

Show form to leave a comment

Comments (newest first)

Jorge Gustavo Rocha from wrote on Nov 21st, 2016:

Hi Claudio,
The same happened to me, on a Ubuntu 16.04 deployed on the cloud (scalaway). On servers deployed from the Ubuntu distribution that never happened before. Thanks for your tip.
Regards,
Gustavo