Let us face it, it is on the best interest both for developers and IT people to make applications less buggy and more reliable. For that ecosystem to work both areas must be able to work without stepping of each other toes AKA Separation of Concerns.
So if a systems architect understands this well s(he) should look for a way to allow developers to access what they are supposed to read in order to troubleshoot real production problems and at the same time ensure the production system is stable and secured.
This is not a post about security so I assume you already took care of not logging user passwords and privacy related information.
The whole problem here can be easily addressed separating where the logs are created (production server) and where the logs are inspected (development server or if you can afford it just a logs server). Our old always handy RSYNC friend will allow us to push from any server any logs we want to a development/logs server.
- Setup the log/development server
$ sudo useradd -d /home/logsviewer -m logsviewer -s /bin/bash $ sudo passwd logsviewer #set password for example to logs4all ;-) $ su -u logsviewer $ mkdir ~/remotelogs
- Setup the production server to send logs to the logs/development server
$ ssh-keygen -t rsa -f /home/admin/.logs_rsa #No passphrase $ scp /home/admin/.logs_rsa.pub logsviewer@logsMachine:~/
- In the logs/development server authorize the key
$ test -d .ssh || mkdir .ssh $ cat ~/.logs_rsa.pub >> .ssh/authorized_keys #WARNING: If this is not just a dev box you will need to do extra work to increase security. This is authorizing the remote box to do anything the current user can do
- In the production server set a cron to update logs let us say every minute
$ crontab -e #Update app logs in log server */1 * * * * rsync -avz -e "ssh -i /home/admin/.logs_rsa" /opt/tomcat/logs/app.log logsviewer@logsMachine:/home/logsviewer/remotelogs/app.log
- Now as a developer you can check any log file from your log/development server