For a week or so I wondered why on one SMTP server (Ubuntu 16.04 Xenial with Rsyslogd and Postfix) rsyslog never logged into /var/log/mail.log, although this is clearly defined in the rsyslog config file:
# cat /etc/rsyslog.d/50-default.conf | grep mail
mail.* -/var/log/mail.log
# Logging for the mail system. Split it up so that
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# news.none;mail.none -/var/log/debug
# mail,news.none -/var/log/messages
#daemon,mail.*;\
daemon.*;mail.*;\
Instead all log entries from the mail facility were logged into /var/log/syslog.
Yet on another SMTP server the mail facility log entries were correctly logged into /var/log/mail.log. Strangely enough, both systems were set up the same way.
Today I got some time for investigation and found out, that the permissions of the folder /var/log was different:
On SMTP01 (where mail logging happened into /var/log/syslog):
root@smtp01:/var# stat log
File: 'log'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fc00h/64512d Inode: 1005 Links: 11
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 108/ syslog)
Access: 2016-08-22 08:29:56.243493060 +0200
Modify: 2016-08-22 08:29:55.747484499 +0200
Change: 2016-08-22 08:29:55.747484499 +0200
Birth: -
On SMTP01 (where mail logging happened correctly into /var/log/mail.log):
root@smtp02:/var# stat log
File: 'log'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fc01h/64513d Inode: 1005 Links: 11
Access: (0775/drwxrwxr-x) Uid: ( 0/ root) Gid: ( 108/ syslog)
Access: 2016-08-22 08:25:37.991669507 +0200
Modify: 2016-08-22 06:25:04.620044011 +0200
Change: 2016-08-22 06:25:04.620044011 +0200
Birth: -
On SMTP01 the permissions were 0755, on SMTP02 0775. Big difference!
After I set the same permissions on smtp01 and restarting rsyslogd, logging of the mail facility started into /var/log/mail.log.
However I still don't know where this permission diff came from. In no logfile (and I have command auditing active) I was able to find a command who'd have edited the permissions.
Jorge Gustavo Rocha from wrote on Nov 21st, 2016:
Hi Claudio,
The same happened to me, on a Ubuntu 16.04 deployed on the cloud (scalaway). On servers deployed from the Ubuntu distribution that never happened before. Thanks for your tip.
Regards,
Gustavo
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder