catalina.out not written to, permission issue

In previous versions of tomcat (and ubuntu) we see the permissions to this directory as follows:

/var/log/tomcat7# ls -lah
drwxr-x--- 2 tomcat7 adm 156K Feb 4 00:00 .
drwxrwxr-x 22 root syslog 4.0K Feb 4 06:51 ..
-rw-r--r-- 1 tomcat7 adm 0 Feb 2 06:54 catalina.out

/var/log/tomcat8# ls -lah
drwxr-x--- 2 tomcat8 adm 4.0K Feb 4 06:25 .
drwxrwxr-x 16 root syslog 4.0K Feb 4 06:25 ..
-rw-r--r-- 1 tomcat8 adm 0 Feb 2 06:25 catalina.out

Where as currently with tomcat9 it has changed (the adm group is missing from the directory and from the catalina.out file)
ls -lah /var/log/tomcat9/
total 792K
drwxr-x--- 2 tomcat tomcat 4.0K Feb 4 14:28 .
drwxrwxr-x 15 root syslog 4.0K Feb 4 06:25 ..
-rw-rwxr-- 1 tomcat tomcat 0 Feb 2 06:25 catalina.out

Status changed to 'Confirmed' because the bug affects multiple users.

The /var/log/tomcat9/catalina.out file is written by rsyslogd, in Debian rsyslogd runs as root so the permissions do not matter, but in Ubuntu rsyslogd runs as syslog:adm and it only has read permissions in /var/log/tomcat9/.

The tomcat9 package should be patched to change the permissions set by systemd-tmpfiles in /usr/lib/tmpfiles.d/tomcat9.conf (chmod 2750 -> 2760).

This bug was fixed in the package tomcat9 - 9.0.36-1

---------------
tomcat9 (9.0.36-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Grant write access on /var/log/tomcat9 to the adm group (LP: #1861881)

 -- Emmanuel Bourg <email address hidden> Tue, 23 Jun 2020 11:47:47 +0200

This bug is not fixed in Ubuntu 20.04 LTS?

* Ubuntu 20.04 LTS
* tomcat9 9.0.31-1ubuntu0.1
* https://packages.ubuntu.com/focal/tomcat9
* https://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat9/tomcat9_9.0.31-1ubuntu0.1/changelog

* Ubuntu 21.04
* tomcat9 9.0.43-1
* https://packages.ubuntu.com/hirsute/tomcat9
* https://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat9/tomcat9_9.0.43-1/changelog

Without this fix, rsyslog floods the logs with messages about "resumed (module 'builtin:omfile')" and "suspended (module 'builtin:omfile')".

One day before the directory permission was fixed:

| $ journalctl --unit rsyslog --since "1 day ago" | wc -l
| 56291
|
| $ journalctl --unit rsyslog --since "1 day ago"
| ...
| Jul 22 22:43:13 erecruiting rsyslogd: action 'action-11-builtin:omfile' resumed (module 'builtin:omfile') [v8.2001.0 try https://www.rsyslog.com/e/2359 ]
| Jul 22 22:43:13 erecruiting rsyslogd: action 'action-11-builtin:omfile' suspended (module 'builtin:omfile'), retry 0. There should be messages before this one giving the reason for
| ...

One day after the directory permission was fixed:

| $ journalctl --unit rsyslog --since "1 day ago" | wc -l
| 2

The fix helps logs to get into catalina.out but now it is impossible to rotate it.
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1964881

Exactly due to the reason explained by Emmanuel Bourg
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1861881/comments/3
The rsyslogd runs as syslog:adm but logrotate is set to run as tomcat:adm therefore not able to truncate the file which is owned by syslog:adm

Was it really important to run syslog as `syslog:adm`? I guess it might improve security, but it seems to be causing some unforeseen problems and divergence between Debian and Ubuntu.