Overcoming Permission problem while Checking linux logfiles from nagios

We use nagios in my work environment. Nagios checks meaningful metrics on systems..

One of the items that must be checked is the /var/log/messages file.. (Or any other log file..)

I use check_logfiles script. But there is a problem with permissions. because script runs under nagios user, it can not check messages log file. So a permission adjustment is needed. I have to give nagios user a permission to read messages file..

I have done this from command line
setfacl u:nagios:rx /var/log/mesages

so problem has finished. by the way, the above command uses ACL (Access control lists) which is enabled by default in linux systems. This is an extension to linux standard user-group-others permission schema. in ACL you can give more granular permissions to users.. For example in above command we give nagios user read and execute permissions on messages file..This is not possible with standard permissions schema..
But the next day my log file checking stopped working.. It gave permission errors. I have investigated the case and found that linux rotates log files. But new  log file has created with standard permissions..

In linux /etc/cron.daily directory contains daily scheduled jobs. One is logrotate which is responsible for the new messages file..

It has a main config file /etc/logrotate.conf and for subsystems, it has /etc/logrotate.d directory. /etc/logrotate.d/syslog file includes how new messages file will be created. Here we must add a postrotate command to adjust permissions. the following is my new syslog file. Red part is the added line..

[root@nagios logrotate.d]#  cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
        /usr/bin/setfacl -m u:nagios:rx /var/log/messages

Now, lets force logrotate to create new log files

logrotate –f /etc/logrotate.conf

get the new permissions

[root@nagios ~]# getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: root

It is OK now...

Update 1:

if you get

Operation not supported message in setfacl command, then you have enable acl support for the partition.
  • determine on which partition /var/log/messages is located (df -h)
  • edit /etc/fstab and add acl parameter to that partiton. e.g

LABEL=/1       /            ext3    defaults,acl        1 1
  • use 
    mount -o remount / to activate the new parameter..

Hiç yorum yok:

Yorum Gönder