What should be the right logs permissions for NGINX on CentOS?
On the files located in /var/log/nginx/ the rules have changed over the time (at least in my experience). Yet without more data I'm not comfortable giving a definitive suggestion. But I'll try.
NGINX itself runs as "root" NGINX processes run as the user specified in /etc/nginx/nginx.conf which is usually "www-data" (hang on, keep reading)
You can use this command to determine how your NGINX is running:
ps -eo "%U %G %a" | grep nginx
Your output should look something like this:
root root nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data www-data nginx: worker process
What you did not say is WHY you are asking this question. Hypothetically, let's just say you are running OSSEC with an ELK stack. And if you are on Ubuntu 16.04, then your second issue is what processes can READ the files as well as write. If you are using logrotate then you would need to edit the logrotate files as well as change permissions on the log folder.
Step 1 - in logrotate update the nginx file:
nano /etc/logrotate.d/nginx
In that file, on recent versions of nginx and ubuntu, I have found that changing the ownership line as follows will allow it to work. This is in the file in /etc/logrotate/nginx which sets the file permissions when the file is rotated.
create 0640 nginx nginx
or alternatively:
create 0640 www-data www-data
Although in practice nginx:nginx has worked more consistently and is a balance between giving the nginx web process permissions to the log files vs setting them to root.
To continue, for your legacy log files (e.g. to be read by logstash) you may want to reset permissions (assuming default file locations which I realize most of us don't actually use.)
chmod nginx:nginx /var/log/nginx/*
or (again) alternatively
chown www-data:www-data /var/log/nginx/*
Hopefully this helps. I have found data on the proper permissions for nginx to be confusing at best when it comes to logging, which I attribute to the evolution of their AMAZING software. And I welcome others who know more to provide feedback on my reply.