The datadog agent runs under the dd-agent user and dd-agent group. This prevents dd-agent accessing the logs in /var/log as they are only accessible by root (or a sudo admin).
In order to allow read only access for dd-agent only, create ACL's and modify logrotate to persist the permissions changes.
You can manually set the ACL with:
sudo setfacl -m g:dd-agent:rx /var/log/<application-name>
This will not persist as logrotate will not re-apply the ACL setting so for a more permanent solution you can add a rule to logrotate to reset the ACL. You will need to create a new file:
sudo touch /etc/logrotate.d/dd-agent_ACLs
Example:
{
postrotate
/usr/bin/setfacl -m g:dd-agent:rx /var/log/cron
/usr/bin/setfacl -m g:dd-agent:rx /var/log/maillog
/usr/bin/setfacl -m g:dd-agent:rx /var/log/messages
/usr/bin/setfacl -m g:dd-agent:rx /var/log/secure
/usr/bin/setfacl -m g:dd-agent:rx /var/log/spooler
endscript
}
Check the ACL status of a file with:
getfacl /var/log/<application-name>
For more info on ACL's see https://help.ubuntu.com/community/FilePermissionsACLs