This article shows how to use syslog to manage ASM audit files on Solaris 10/11.
If you are looking for the information for Linux or AIX, please check out following posts
Reduce number of privileged access audit files for ASM with syslog on AIX.
Reduce number of privileged access audit files for ASM with rsyslog on Linux.
Reduce number of privileged access audit files for ASM with rsyslog on Linux.
1. Configure syslog service as OS user root
Add following line to syslog configuration file /etc/syslog.conf
4. Configure ASM instance
local1.info /var/log/oracle/asm_audit.log
Make sure the directory /var/log/oracle exists, it can be created with mkdir
[root@host01]# mkdir /var/log/oracle
In the configuration, 'local1.info' is a selector. It has two parts, 'local1' is a facility and 'info' is a priority. Typically, we can use one of eight values local0 through local7 as facility and one of following values as priority,
debug, info, notice, warning, err, crit, alert, emerg
debug, info, notice, warning, err, crit, alert, emerg
Write down the selector 'local1.info', it will be used to configure ASM instance initialization parameter 'audit_syslog_level'.
Note: Use TAB character to separate 'local1.info' and '/var/log/oracle/asm_audit.log', do NOT use SPACE character(s). Otherwise, you will see following error in log file /var/log/syslog
Oct 31 15:08:38 host01 syslogd: line 32: unknown priority name "info /var/log/oracle/asm_audit.log"
Find out the line(s) which including selector '*.info' or 'local1.info' from file /etc/syslog.conf, it looks similar as following
*.info;auth.none;mail.none /var/log/syslog
It direct syslog to log anything (except auth and mail) of level info to file /var/log/syslog. Therefore, ASM audit messages (defined with selector local1.info) are logged into this file. In order to exclude it from being logged into /var/log/syslog, add 'local1.none' to the line as following
*.info;auth.none;mail.none;local1.info /var/log/syslog
2. Refresh the configuration for syslog service to enable new configuration
Check which system-log service instance is running on the system
[root@host01]# svcs system-log
STATE STIME FMRI
online 13:09:26 svc:/system/system-log:default
STATE STIME FMRI
online 13:09:26 svc:/system/system-log:default
The active syslog service is 'system/system-log:default', refresh the configuration information for the active syslog service instance
[root@host01]# svcadm refresh system/system-log:default
Check log file /var/log/syslog immediately after refresh command. If the configuration is correct, you will see similar line without any errors as following in the end of file,
Oct 31 18:27:28 host01 syslogd: configuration restart
You may get following error as described in step 1
Oct 31 14:32:20 host01 syslogd: configuration restart
Oct 31 14:32:21 host01 syslogd: line 32: unknown priority name "info /var/log/oracle/asm_audit.syslog"
Oct 31 14:32:21 host01 syslogd: line 32: unknown priority name "info /var/log/oracle/asm_audit.syslog"
3. Configure logadm to manage (rotate, compress, etc.) log files
On Solaris, the system log files are rotated by the logadm command which is scheduled by root as crontab job. The system log rotation is defined with command logadm and saved in the file /etc/logadm.conf. It can also be configured by manually edit the file.
Configure rotation for log file asm_audit.log with logamdin
[root@host01]# logadm -A 6m -c -s 16m -z 2 -w /var/log/oracle/asm_audit.log
Or manully add following line to /etc/logadm.conf instead of logadmin
/var/log/oracle/asm_audit.log -A 6m -c -s 16m -z 2
Verify whether it is configured
[root@host01]# logadm -V /var/log/oracle/asm_audit.log
/var/log/oracle/asm_audit.log -A 6m -c -s 16m -z 2
/var/log/oracle/asm_audit.log -A 6m -c -s 16m -z 2
Here,
/var/log/oracle/asm_audit.log - the log file which will be rotated and must be same as log file defined with selector 'local1.info' in syslog configuration file /etc/syslog.conf in step 1.
-A 6m - Delete any versions that have not been modified for 6 months
-c - Rotate the log file by copying it and truncating the original log file to zero length, rather than renaming the file
-s 16m - Rotate the log file only if its size is greater than or equal to 16 megabytes
-z 2 - Compress old log files and leave two of the most recent log files uncompressed
-A 6m - Delete any versions that have not been modified for 6 months
-c - Rotate the log file by copying it and truncating the original log file to zero length, rather than renaming the file
-s 16m - Rotate the log file only if its size is greater than or equal to 16 megabytes
-z 2 - Compress old log files and leave two of the most recent log files uncompressed
4. Configure ASM instance
Set ASM initialization parameter audit_syslog_level
SQL> connect / as sysasm
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
System altered.
Optionally, set ASM initialization parameter audit_sys_operations
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
Parameter AUDIT_SYSLOG_LEVEL setting (local1.info) allows SYS (when audit_sys_operations=TRUE) and standard OS audit records (with selector identifier 'local1.info') to be sent to the SYSLOG utility (syslog) and SYSLOG utility writes the records to the system audit log file selected by selector (local1.info).
Restart ASM instance as owner of Grid Infrastructure home (usually grid for cluster installation and oracle for standalone installation)
[oracle@host01]$ srvctl stop asm -force
[oracle@host01]$ srvctl start asm -force
[oracle@host01]$ srvctl start asm -force
Note: make sure all databases using ASM have been shut down successfully before restart ASM instance in case of database corruption.
5. Verify ASM audit records are created in /var/log/oracle/asm_audit.log
Verify that a privileged connection to ASM (e.g. SYSASM, SYSDBA, or SYSOPER connection) result in an entry created in /var/log/oracle/asm_audit.log similar to the following:
Oct 31 19:52:08 host01 Oracle Audit[5710]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:09 host01 Oracle Audit[5712]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:12 host01 Oracle Audit[5723]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:09 host01 Oracle Audit[5712]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:12 host01 Oracle Audit[5723]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
6. Test log file rotation
Repeat cat command as following until size of file asm_audit.log is larger than 16m
[root@host01]# cat /var/log/syslog >> /var/log/oracle/asm_audit.log
... ...
[root@host01]# cat /var/log/syslog >> /var/log/oracle/asm_audit.log
[root@host01]# ls -l /var/log/oracle/asm_audit.log
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 /var/log/oracle/asm_audit.log
... ...
[root@host01]# cat /var/log/syslog >> /var/log/oracle/asm_audit.log
[root@host01]# ls -l /var/log/oracle/asm_audit.log
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 /var/log/oracle/asm_audit.log
Run logadm to test rotation
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l /var/log/oracle
-rw-r--r-- 1 root root 3553 Oct 31 18:46 /var/log/oracle/asm_audit.log
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 asm_audit.log.0
[root@host01]# ls -l /var/log/oracle
-rw-r--r-- 1 root root 3553 Oct 31 18:46 /var/log/oracle/asm_audit.log
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 asm_audit.log.0
One rotation (backup) log file asm_audit.log.0 is created.
Repeat two more times to increase file size of asm_audit.log to larger than 16m and run logadm, to test if the third copy of log file is compressed
The file oldest (third) log file asm_audit.log.2.gz is compressed and as configured in step 3 two copy of log files asm_audit.log.0 & asm_audit.log.1 are not compressed.
[root@host01]# cat asm_audit.log.0 >> asm_audit.log
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 78163
-rw-r--r-- 1 root root 19197 Oct 31 18:52 asm_audit.log
-rw-r--r-- 1 root root 19895853 Oct 31 18:48 asm_audit.log.0
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 asm_audit.log.1
[root@host01]# cat asm_audit.log.0 >> asm_audit.log
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 81244
-rw-r--r-- 1 root root 4522 Oct 31 18:53 asm_audit.log
-rw-r--r-- 1 root root 19918280 Oct 31 18:52 asm_audit.log.0
-rw-r--r-- 1 root root 19895853 Oct 31 18:48 asm_audit.log.1
-rw-r--r-- 1 root root 1465806 Oct 31 18:45 asm_audit.log.2.gz
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 78163
-rw-r--r-- 1 root root 19197 Oct 31 18:52 asm_audit.log
-rw-r--r-- 1 root root 19895853 Oct 31 18:48 asm_audit.log.0
-rw-r--r-- 1 root root 19885517 Oct 31 18:45 asm_audit.log.1
[root@host01]# cat asm_audit.log.0 >> asm_audit.log
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 81244
-rw-r--r-- 1 root root 4522 Oct 31 18:53 asm_audit.log
-rw-r--r-- 1 root root 19918280 Oct 31 18:52 asm_audit.log.0
-rw-r--r-- 1 root root 19895853 Oct 31 18:48 asm_audit.log.1
-rw-r--r-- 1 root root 1465806 Oct 31 18:45 asm_audit.log.2.gz
The file oldest (third) log file asm_audit.log.2.gz is compressed and as configured in step 3 two copy of log files asm_audit.log.0 & asm_audit.log.1 are not compressed.
So far, the configuration is completed. The ASM SYS and OS audit records will be written into syslog log file /var/log/oracle/asm_audit.log, and the log file will be rotated when its size reach 16m and kept 6 months.
No comments:
Post a Comment