Pages

Saturday, October 31, 2020

Configure ASM audit with syslog on Solaris

This article shows how to use syslog to manage ASM audit files on Solaris 10/11.

If you are looking for the information for Linux or AIX, please check out following posts
1. Configure syslog service as OS user root

Add following line to syslog configuration file /etc/syslog.conf
local1.info /var/log/oracle/asm_audit.log

Make sure the directory /var/log/oracle exists, it can be created with mkdir
[root@host01]# mkdir /var/log/oracle

In the configuration, 'local1.info' is a selector. It has two parts, 'local1' is a facility and 'info' is a priority. Typically, we can use one of eight values local0 through local7 as facility and one of following values as priority,
  
 debug, info, notice, warning, err, crit, alert, emerg

Write down the selector 'local1.info', it will be used to configure ASM instance initialization parameter 'audit_syslog_level'.

Note: Use TAB character to separate 'local1.info' and '/var/log/oracle/asm_audit.log', do NOT use SPACE character(s). Otherwise, you will see following error in log file /var/log/syslog
Oct 31 15:08:38 host01 syslogd: line 32: unknown priority name "info /var/log/oracle/asm_audit.log"

Find out the line(s) which including selector '*.info' or 'local1.info' from file /etc/syslog.conf, it looks similar as following
*.info;auth.none;mail.none  /var/log/syslog

It direct syslog to log anything (except auth and mail) of level info to file /var/log/syslog. Therefore, ASM audit messages (defined with selector local1.info) are logged into this file. In order to exclude it from being logged into /var/log/syslog, add 'local1.none' to the line as following
*.info;auth.none;mail.none;local1.info  /var/log/syslog

2. Refresh the configuration for syslog service to enable new configuration

Check which system-log service instance is running on the system
[root@host01]# svcs system-log
STATE          STIME    FMRI
online         13:09:26 svc:/system/system-log:default

The active syslog service is 'system/system-log:default', refresh the configuration information for the active syslog service instance
[root@host01]# svcadm refresh system/system-log:default

Check log file /var/log/syslog immediately after refresh command. If the configuration is correct, you will see similar line without any errors as following in the end of file,
Oct 31 18:27:28 host01 syslogd: configuration restart

You may get following error as described in step 1
Oct 31 14:32:20 host01 syslogd: configuration restart
Oct 31 14:32:21 host01 syslogd: line 32: unknown priority name "info    /var/log/oracle/asm_audit.syslog"

3. Configure logadm to manage (rotate, compress, etc.) log files
On Solaris, the system log files are rotated by the logadm command which is scheduled by root as crontab job. The system log rotation is defined with command logadm and saved in the file /etc/logadm.conf. It can also be configured by manually edit the file.

Configure rotation for log file asm_audit.log with logamdin
[root@host01]# logadm -A 6m -c -s 16m -z 2 -w /var/log/oracle/asm_audit.log

Or manully add following line to /etc/logadm.conf instead of logadmin
/var/log/oracle/asm_audit.log -A 6m -c -s 16m -z 2

Verify whether it is configured
[root@host01]# logadm -V /var/log/oracle/asm_audit.log
/var/log/oracle/asm_audit.log -A 6m -c -s 16m -z 2

Here,
   /var/log/oracle/asm_audit.log - the log file which will be rotated and must be same as log file defined with selector 'local1.info' in syslog configuration file /etc/syslog.conf in step 1.
   -A 6m  - Delete any versions that have not been modified for 6 months
   -c     - Rotate the log file by copying it and truncating the original log file to zero length, rather than renaming the file
   -s 16m - Rotate the log file only if its size is greater than or equal to 16 megabytes
   -z 2   - Compress old log files and leave two of the most recent log files uncompressed

4. Configure ASM instance

Set ASM initialization parameter audit_syslog_level
SQL> connect / as sysasm
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
System altered.

Optionally, set ASM initialization parameter audit_sys_operations
SQL> alter system set audit_sys_operations=TRUE scope=spfile;

Parameter AUDIT_SYSLOG_LEVEL setting (local1.info) allows SYS (when audit_sys_operations=TRUE) and standard OS audit records (with selector identifier 'local1.info') to be sent to the SYSLOG utility (syslog) and SYSLOG utility writes the records to the system audit log file selected by selector (local1.info).

Restart ASM instance as owner of Grid Infrastructure home (usually grid for cluster installation and oracle for standalone installation)
[oracle@host01]$ srvctl stop asm -force
[oracle@host01]$ srvctl start asm -force

Note: make sure all databases using ASM have been shut down successfully before restart ASM instance in case of database corruption.

5. Verify ASM audit records are created in /var/log/oracle/asm_audit.log

Verify that a privileged connection to ASM (e.g. SYSASM, SYSDBA, or SYSOPER connection) result in an entry created in /var/log/oracle/asm_audit.log similar to the following:
Oct 31 19:52:08 host01 Oracle Audit[5710]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:09 host01 Oracle Audit[5712]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 31 19:52:12 host01 Oracle Audit[5723]: [ID 748625 local0.info] LENGTH : '239' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[6] 'host01' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'

6. Test log file rotation

Repeat cat command as following until size of file asm_audit.log is larger than 16m
[root@host01]# cat /var/log/syslog >> /var/log/oracle/asm_audit.log
                ... ...
[root@host01]# cat /var/log/syslog >> /var/log/oracle/asm_audit.log
[root@host01]# ls -l /var/log/oracle/asm_audit.log
-rw-r--r--   1 root     root     19885517 Oct 31 18:45 /var/log/oracle/asm_audit.log

Run logadm to test rotation
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l /var/log/oracle
-rw-r--r--   1 root     root        3553 Oct 31 18:46 /var/log/oracle/asm_audit.log
-rw-r--r--   1 root     root     19885517 Oct 31 18:45 asm_audit.log.0

One rotation (backup) log file asm_audit.log.0 is created.

Repeat two more times to increase file size of asm_audit.log to larger than 16m and run logadm, to test if the third copy of log file is compressed
[root@host01]# cat asm_audit.log.0 >> asm_audit.log
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 78163
-rw-r--r--   1 root     root       19197 Oct 31 18:52 asm_audit.log
-rw-r--r--   1 root     root     19895853 Oct 31 18:48 asm_audit.log.0
-rw-r--r--   1 root     root     19885517 Oct 31 18:45 asm_audit.log.1

[root@host01]# cat asm_audit.log.0 >> asm_audit.log
[root@host01]# /usr/sbin/logadm
[root@host01]# ls -l
total 81244
-rw-r--r--   1 root     root        4522 Oct 31 18:53 asm_audit.log
-rw-r--r--   1 root     root     19918280 Oct 31 18:52 asm_audit.log.0
-rw-r--r--   1 root     root     19895853 Oct 31 18:48 asm_audit.log.1
-rw-r--r--   1 root     root     1465806 Oct 31 18:45 asm_audit.log.2.gz

The file oldest (third) log file asm_audit.log.2.gz is compressed and as configured in step 3 two copy of log files asm_audit.log.0 & asm_audit.log.1 are not compressed.
So far, the configuration is completed. The ASM SYS and OS audit records will be written into syslog log file /var/log/oracle/asm_audit.log, and the log file will be rotated when its size reach 16m and kept 6 months.

No comments: