diff --git a/recipes/minimize_access.rb b/recipes/minimize_access.rb
index bae4b889..45f4a67e 100644
--- a/recipes/minimize_access.rb
+++ b/recipes/minimize_access.rb
@@ -53,3 +53,9 @@
   mode '0750'
   not_if { node['os-hardening']['security']['users']['allow'].include?('change_user') }
 end
+
+# /var/log should restricted to root or syslog on ubuntu systems
+directory '/var/log' do
+  owner 'root'
+  group node['platform'] == 'ubuntu' ? 'syslog' : 'root'
+end