Possibly the log rotation.

mark

That was a good guess, but the logrotate setting for httpd says:

create 640 root adm

The other 3 create lines in /etc/logrotate.d/ are for other log files.

Tom Ekberg

From: ***@5-cent.us
To: "General Red Hat Linux discussion list" <redhat-***@redhat.com>
Subject: Re: Permission changing for /var/log/httpd
Message-ID:
<***@host290.hostmonster.com>
Content-Type: text/plain;charset=utf-8

Tom Ekberg wrote:
I have a non-root cron job that needs to look at files in /var/log/httpd
and transfer them (scp) to another host. That user is a member of group
adm and I changed the ownership of /var/log/httpd to root:adm and set
permissions to 750. This works file as the cron job can read the files.
The problem is that once a month some process changes the ownership of
this directory to root:root and permissions to 700. I looked at the audit
logs and can see this happen but I have no idea what process is doing
this. I looked at /etc/cron.monthly and there is only one entry that
doesn't appear to cause that. Do you happen to know what process changes
the ownership and permission of /var/log/httpd?

Mark Added:
Possibly the log rotation.

mark

If logrotate (as Mark suggested) did not do it, you can use SystemTap to do this sort of things. There are sample scripts on the Internet that monitor file permission change.
Maybe these help:https://www.sourceware.org/systemtap/SystemTap_Beginners_Guide/inodewatch2sect.html
https://lwn.net/Articles/271796/

Yong