You can utilize the $PrivDropToUser, $PrivDropToUserID, $PrivDropToGroup, and $PrivDropToGroupID configuration directives to run rsyslog as a non-root user. When these variables are used, rsyslog will start as root, but will drop to the specified user and/or group after initialization. The daemon will then run in accordance with the permissions of the specified user or group.
1. rsyslog runs as root by default in CentOS/RHEL 7, and permissions issues will be present when running it as a non-root user.
2. To ensure that you can get logging from systemd’s journal in /run/logs/journal, modify the specified user to become a member of the ‘systemd-journald‘ group:
# usermod -G systemd-journal [specified_user]
3. Additionally, you will need to make sure that the non-root user has write access to the following logs, as well as the directories they are included within (/var/lib, /var/log):
/var/lib/rsyslog /var/log/messages /var/log/secure /var/log/maillog /var/log/cron /var/log/spooler /var/log/boot.log