I am the Splunk administrator working with an Ubuntu 12.04 LTS system and I want to collect events from /var/log/auth.log.

-rw-r----- 1 root adm 16534643 Jan  8 09:49 /var/log/auth.log

Splunk runs as a normal user, splunk.

$ id splunk

uid=1984(splunk) gid=1984(splunk) groups=1984(splunk)

Normally, I'd use this command so make the file group readable by the splunk group.

$ chgrp splunk /var/log/auth.log

-rw-r----- 1 root splunk 16534643 Jan  8 09:49 /var/log/auth.log

This works fine on other Linux distros and I assume this is okay with Ubuntu as well. But I do want to ask, will bumping out the adm cause me (actually, the other group that owns the box) headaches in the future? I am not a privileged user on the system, so I cannot check things like /var/log/cron/adm or mail for the adm account. I'm also assuming that logrotate will honor my new group owner for new files.

(Before you ask, access to the splunk index for auth.log is restricted to a limited number of people.)