Allow configuring permissions for log files

[achenand]

On Linux I used -log-file flag to redirect all the Consul agent log messages to a local file, for some reason the log file was created with the permission that is write only by owner, for example:

--w------- 1 fispguat fispguat 91300 Mar 6 12:54 consul_20190306-114637-1551890797918163665.log

Is this write only permission by design of consul? I have not found anything in documentation and existing issues so would appreciate any insights from consul team.

[mkeeler]

@achenand This was definitely not intended. #5346 was for the same thing and was fixed in version 1.4.3. If you upgrade, log files will now be created rw permissions for the owner and read only permissions for the group.

[achenand]

Hi Matt,
This "rw permissions for the owner and read only permissions for the group." is still too restrictive for our use case. We would like to have read access for users in different groups.

Could you make it possible to allow an umask to be supplied along with the -log-file flag?
Thanks again.

[mkeeler]

@achenand I reopened the issue and edited the title to more closely align with what I think the request is.

Could you elaborate on your usage a bit. Particularly what sorts of permissions you are desiring or how you would desire those log files to be created.

[achenand]

Thanks for updating the title.
I am looking to have "644" as the log file permission on Linux servers, "rw" for owner, "r" for group and others. In our use case, developers are only allowed to access production Linux boxes as a low-privileged users while consul process is run as a higher-privileged service id.

In another note, when I specified the complete path along with the name of the log file in -log-file flag the {timestamp} was still appended. For example I have specified the name of the log file as consul_20190311-141420.log
But actual log file name still have {timestamp} added, is it possible to remove this additional {timestamp} to match the behavior described by the documentation?
consul_20190311-141420-1552328060963016440.log

-log-file - to redirect all the Consul agent log messages to a file. This can be specified with the complete path along with the name of the log. In case the path doesn't have the filename, the filename defaults to consul-{timestamp}.log. Can be combined with -log-rotate-bytes and -log-rotate-duration for a fine-grained log rotation experience.

[neillyt]

Hi, 644 would be very good for me as well as I'd like to ingest these logs into Splunk. However, Splunk runs under a pretty non-privileged user in our case. With the logs having an unpredictable name (as it uses a timestamp) it is tough to get around this. Any help on this would be appreciated.

[dheide951]

Has there been any update on this topic? I am also looking to have these logs go into splunk and need 644 permissions.

Or is there a way to change the group of the logs?

[3eka]

+1

[cunningriver777]

+1