While we recommend using log aggregator tools like Splunk, LogStash etc., the cost of setting and fine-tuning the setup might be prohibitive. It is also time-consuming to get the setup right. Due to the aforementioned costs, developers require access to the Dev-integration servers to view and tail the logs. Unfortunately, in Tomcat 8.5, the default UMASK setting prevents users that don’t belong to the group the Apache Tomcat Server runs as from reading and tailing the logs. While this is a good feature in Production and Production-like environments, it makes debugging issues with code a little difficult in Dev-integration environments.

The Fix

To make the Liferay logs and Apache Tomcat logs readable by developers, add the following line to the and restart Tomcat. Please note that this won’t change the permissions of existing log files. Only the current and future log files that are generated by the AppServer will be readable by developers.

export UMASK="0022"

Also note that while there are other ways of setting UMASK, the method mentioned above will preserve the UMASK settings when Tomcat versions are upgraded on a per-release basis.


Tomcat 8.5 provides additional security and huge performance benefits. While the benefits are huge, you have to make a few changes to preserve the behavior to mimic the older generation of Tomcat (8.0) environment.

If you have questions on how you can best leverage audience targeting and/or need help with your Liferay DXP implementation, please engage with comments on this blog post, or reach out to us.

Additional Reading
You can also continue to explore Liferay DXP by checking out the Standard deployment structure recommended by XTIVIA that makes your AppServer upgrades easier, or Steps to Follow for Overcoming HTTPS Socket Errors in JMeter, or Top 5 DevOps Features in Liferay DXP from a devops perspective.

Share This