Ubuntu – safely change group ownership of /var/log/auth.log


I am the Splunk administrator working with an Ubuntu 12.04 LTS system and I want to collect events from /var/log/auth.log.

-rw-r----- 1 root adm 16534643 Jan  8 09:49 /var/log/auth.log

Splunk runs as a normal user, splunk.

$ id splunk
uid=1984(splunk) gid=1984(splunk) groups=1984(splunk)

Normally, I'd use this command so make the file group readable by the splunk group.

$ chgrp splunk /var/log/auth.log
-rw-r----- 1 root splunk 16534643 Jan  8 09:49 /var/log/auth.log

This works fine on other Linux distros and I assume this is okay with Ubuntu as well. But I do want to ask, will bumping out the adm cause me (actually, the other group that owns the box) headaches in the future? I am not a privileged user on the system, so I cannot check things like /var/log/cron/adm or mail for the adm account. I'm also assuming that logrotate will honor my new group owner for new files.

(Before you ask, access to the splunk index for auth.log is restricted to a limited number of people.)

Best Answer

Followup: Since no one ever gave a reason why "adm" group ownership was important, I changed the group ownership to "splunk".

After 6 months, no issues were noticed. I decided against giving the splunk user additional group privileges by adding it to the "adm" group. I reasoned I could give the adm account the extra privilege of "splunk" group membership, if necessary.