File permissions for audit.log for monitoring

Hi guys / gals. I have a problem with change group and permissions on file /var/log/audit/audit.log. Maybe it’s a bug, but definively it’s not an issue. LOL

The problem is: I need monitoring logs from a zabbix server. So, I’ve changed the group monitoring to “adm”, added “zabbix” user to “adm” group change dir and file group to “adm” (chgrp -R adm /var/log/audit/), changed file and permissions to dir (0640), and log file (0750). and restarted the “auditd” service with no success at all. Same process was sucessfully done in cloudlinux, centos and rocky linux, but no way to do it in AL.

Please help

hi @wpulido can you please file a bug at so that we can look into this.

Also can you provide the audit.log file (both here and there so that we can get some insight into what is going on)? It should work the same exact way as on centos, there is no difference.

Hi Jack. I’m not pretty sure if it’s a bug or not, because I’m not too experimented with CentOS-based distros. I was reading a bit about SElinux and its features and did my tests. So, I will reproduce the situation as precise as possible:

I edited my “/etc/audit/auditd.conf” file
Changed the “log_group” parameter to “adm”. Saved changes and closed file edition
usermod -aG adm zabbix
chown -R root:adm /var/log/audit/audit.log
service auditd restart

It worked on CloudLinux and CentOS, but in AL didn’t. I was checking SELinux Configuration. CL and CentOS have SELinux active (enforcing)

BTW, I deactivated SElinux on a test (with “setenforce 0” command), and reboot, but it didn’t worked neither.

It always give me “error 13: permission denied”.

Maybe, for sure, I’m doing something wrong or missing something, but I don’t know.

Thanks in advance and sorry for my english.

i assume that’s a typo as its backwards - files should be 640 and dirs 750.

also if you’re messing with auditd config you should reboot not restart, as it may be (should be!) immutable.