diff --git a/base-files/cron.hourly/log-acls b/base-files/cron.hourly/log-acls
index e5d11c9..6311a9d 100755
--- a/base-files/cron.hourly/log-acls
+++ b/base-files/cron.hourly/log-acls
@@ -4,19 +4,22 @@
 sleep 120
 
 # Secure /var/log
+shopt -s globstar
+GLOBIGNORE="/var/log/packages/:/var/log/setup/:/var/log/scripts/"
 #  Set standard access perms for directories
+setfacl -m user::rwx,group::rx,other::- /var/log/**/
 setfacl -m user::rwx,group::rx,other::x /var/log/
-find /var/log/*/ -type d -exec setfacl -m user::rwx,group::rx,other::- {} \;
 #  Set standard access perms for files
-find /var/log -type f -exec setfacl -Rm user::rw,group::r,other::- {} \;
+find /var/log -type f -exec setfacl -m user::rw,group::r,other::- {} +
 #  Allow group 'admin' read access to all directories/files
-find /var/log -type d -exec setfacl -m group:admin:rX {} \;
-find /var/log -type f -exec setfacl -m group:admin:r {} \;
+setfacl -m group:admin:rX /var/log/**/
+find /var/log -type f -exec setfacl -m group:admin:r {} +
 #  Set default access for new files in directories.
-find /var/log -type d -exec setfacl -dm user::rwX,group::rX,other::- {} \;
-find /var/log -type d -exec setfacl -dm group:admin:rX {} \;
-# /var/log/wtmp needs to be readable by everyone
+setfacl -dm user::rwX,group::rX,other::- /var/log/**/
+setfacl -dm group:admin:rX /var/log/**/
+#  /var/log/wtmp needs to be readable by everyone
 setfacl -m user::rw,group::r,other::r /var/log/wtmp
+unset GLOBIGNORE
 
 # To clear above ACL settings:
 #  setfacl -Rk /path