This post shows how to configure rsyslog on Linux (Red Hat Enterprise Linux 7/8) to redirect ASM audit message to OS log files.
If you are looking for the information for Solaris or AIX, please check out following posts
Configure ASM audit with syslog on Solaris.
Reduce number of privileged access audit files for ASM with syslog on AIX.
Reduce number of privileged access audit files for ASM with syslog on AIX.
1. Configure rsyslog service as OS user root
Add following line to rsyslog configuration file /etc/rsyslog.conf
local1.info /var/log/oracle/asm_audit.log
Make sure the directory /var/log/oracle exists, it can be created with mkdir
[root@host01]# mkdir /var/log/oracle
I prefer dedicated subdirectory (oracle) under /var/log to shared root directory /var/log because many system services and application save their log files directly under /var/log and I do not have to look for my log files among many other log files when save my log files in separated directory.
In the configuration, 'local1.info' is a selector. It has two parts, 'local1' is a facility and 'info' is a priority. Typically, we can use one of eight values local0 through local7 as facility and one of following values as priority,
debug, info, notice, warning, err, crit, alert, emerg
The selector 'local1.info' will be needed for ASM instance configuration.
Find out entry (line) for /var/log/messages in file /etc/rsyslog.conf, it looks similar as following
*.info;mail.none;authpriv.none;cron.none /var/log/messages
It direct rsyslog to log anything (except mail, authpriv and cron) of level info to file /var/log/messages, of course, ASM audit messages (with selector local1.info) are also logged into this file. In order to exclude it, add 'local1.none' to the entry as following
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
2. Configure logrotate to manage (rotate, compress, etc.) log files
The rsyslog service does not have same rotation facility as syslog. The Linux logrotate utility is used to manage the size and number of rsyslog log files. Create the file /etc/logrotate.d/asm_audit with the following content:
/var/log/oracle/asm_audit.log {
weekly
rotate 26
compress
copytruncate
delaycompress
notifempty
}
rotate 26
compress
copytruncate
delaycompress
notifempty
}
Here,
/var/log/oracle/asm_audit.log - the log file which will be rotated and must be same as log file defined with selector 'local1.info' in rsyslog configuration file /etc/rsyslog.conf in step 1.
weekly - the log file will be rotated weekly
rotate 26 - the log file will be deleted after 26 weeks
commpress - old versions of log files are compressed
copytruncate - truncate the original log file in place after creating a copy
delaycompress - postpone compression of the previous log file to the next rotation cycle
notifempty - do not rotate the log if it is empty
weekly - the log file will be rotated weekly
rotate 26 - the log file will be deleted after 26 weeks
commpress - old versions of log files are compressed
copytruncate - truncate the original log file in place after creating a copy
delaycompress - postpone compression of the previous log file to the next rotation cycle
notifempty - do not rotate the log if it is empty
3. Restart rsyslog service
On Red Hat Enterprise Linux (RHEL) 7 & 8 or Oracle Linux 7 & 8, run command systemctl restart rsyslog.service
[root@host01]# systemctl restart rsyslog.service
The command may be different on other Linux releases or distributions. For example, on RHEL 5/6 or Oracle Linux 5/6, following command is used,
service rsyslog restart
4. Configure ASM instance
Set ASM initialization parameter audit_syslog_level
SQL> connect / as sysasm
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
System altered.
Connected.
SQL>
SQL> alter system set audit_syslog_level='local1.info' scope=spfile;
System altered.
Optionally, set ASM initialization parameter audit_sys_operations
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
Parameter AUDIT_SYSLOG_LEVEL setting (local1.info) allows SYS (when audit_sys_operations=TRUE) and standard OS audit records (with selector identifier 'local1.info') to be sent to the SYSLOG utility (rsyslog) and SYSLOG utility writes the records to the system audit log file selected by selector (local1.info).
Restart ASM instance as owner of Grid Infrastructure home (usually grid for cluster installation and oracle for standalone installation)
[oracle@host01]$ srvctl stop asm -force
[oracle@host01]$ srvctl start asm -force
[oracle@host01]$ srvctl start asm -force
Note: make sure all databases using ASM have been shut down successfully before restart ASM instance in case of database corruption.
5. Verify ASM audit records are created in /var/log/oracle/asm_audit.log
Verify that a privileged connection to ASM (e.g. SYSASM, SYSDBA, or SYSOPER connection) result in an entry created in /var/log/oracle/asm_audit.log similar to the following:
Oct 27 22:19:53 host01 journal: Oracle Audit[12125]: LENGTH : '260' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSASM' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:19:59 host01 journal: Oracle Audit[12130]: LENGTH : '260' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:20:03 host01 journal: Oracle Audit[12141]: LENGTH : '261' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[7] 'SYSOPER' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:19:59 host01 journal: Oracle Audit[12130]: LENGTH : '260' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
Oct 27 22:20:03 host01 journal: Oracle Audit[12141]: LENGTH : '261' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[7] 'SYSOPER' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[0] '' SESSIONID:[10] '4294967295' USERHOST:[21] 'host01.lab.dbaplus.ca' CLIENT ADDRESS:[0] '' ACTION NUMBER:[3] '100'
6. Test log file rotation
Force log file rotation with command logrorate -f
[root@host01 /]# ls -l /var/log/oracle
total 12
-rw-------. 1 root root 9327 Oct 27 22:20 asm_audit.log
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 12
-rw-------. 1 root root 0 Oct 27 22:36 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1
total 12
-rw-------. 1 root root 9327 Oct 27 22:20 asm_audit.log
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 12
-rw-------. 1 root root 0 Oct 27 22:36 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1
One rotation (backup) log file asm_audit.log.1 is created.
Connect to ASM instance as SYSDBA to generate new audit records, and make sure log file asm_audit.log is not empty
Force another log file rotation with command logrorate -f
SQL> connect / as sysdba
Connected.
SQL>exit
Connected.
SQL>exit
Force another log file rotation with command logrorate -f
[root@host01 /]# ls -l /var/log/oracle
total 16
-rw-------. 1 root root 2296 Oct 27 22:43 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 8
-rw-------. 1 root root 0 Oct 27 22:44 asm_audit.log
-rw-------. 1 root root 2296 Oct 27 22:44 asm_audit.log.1
-rw-------. 1 root root 743 Oct 27 22:36 asm_audit.log.2.gz
total 16
-rw-------. 1 root root 2296 Oct 27 22:43 asm_audit.log
-rw-------. 1 root root 9327 Oct 27 22:36 asm_audit.log.1
[root@host01 /]#
[root@host01 /]# logrotate -f /etc/logrotate.d/asm_audit
[root@host01 /]#
[root@host01 /]# ls -l /var/log/oracle
total 8
-rw-------. 1 root root 0 Oct 27 22:44 asm_audit.log
-rw-------. 1 root root 2296 Oct 27 22:44 asm_audit.log.1
-rw-------. 1 root root 743 Oct 27 22:36 asm_audit.log.2.gz
The file asm_audit.log.1 is copied and compressed into file asm_audit.log.2.gz, file asm_audit.log is truncated after copied to file asm_audit.log.1.
So far, the configuration is completed. The ASM SYS and OS audit records will be written into rsyslog log file /var/log/oracle/asm_audit.log, and the log file will be rotated weekly and kept 26 weeks.
No comments:
Post a Comment