What are good access control permissions for log files?

When setting log file permissions, the aim is to let the logging process add new entries while preventing modification of existing data. Granting the application read and append rights lets it add entries at the end without allowing it to alter or delete past logs. Giving the backup process read-only access lets it archive or copy logs as needed, but it cannot modify them. This arrangement preserves the integrity and completeness of the log trail and follows the principle of least privilege. Granting broader rights—such as write, execute, or full control—opens the door to tampering, accidental changes, or deletion of logs, which undermines reliability and forensic usefulness. If you only gave read-only, the application wouldn’t be able to log new events; if you gave write or full control, the risks to integrity would be too high.