Overcoming Permission problem while Checking linux logfiles from nagios
We use nagios in my work environment. Nagios checks meaningful metrics on systems..
One of the items that must be checked is the /var/log/messages file.. (Or any other log file..)
I use check_logfiles script. But there is a problem with permissions. because script runs under nagios user, it can not check messages log file. So a permission adjustment is needed. I have to give nagios user a permission to read messages file..
I have done this from command line
setfacl u:nagios:rx /var/log/mesages
so problem has finished. by the way, the above command uses ACL (Access control lists) which is enabled by default in linux systems. This is an extension to linux standard user-group-others permission schema. in ACL you can give more granular permissions to users.. For example in above command we give nagios user read and execute permissions on messages file..This is not possible with standard permissions schema..
But the next day my log file checking stopped working.. It gave permission errors. I have investigated the case and found that linux rotates log files. But new log file has created with standard permissions..
In linux /etc/cron.daily directory contains daily scheduled jobs. One is logrotate which is responsible for the new messages file..
It has a main config file /etc/logrotate.conf and for subsystems, it has /etc/logrotate.d directory. /etc/logrotate.d/syslog file includes how new messages file will be created. Here we must add a postrotate command to adjust permissions. the following is my new syslog file. Red part is the added line..
Now, lets force logrotate to create new log files
logrotate –f /etc/logrotate.conf
get the new permissions
[root@nagios ~]# getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: root
user::rw-
user:nagios:r-x
group::r-x
mask::r-x
other::---
It is OK now...
Update 1:
if you get
Operation not supported message in setfacl command, then you have enable acl support for the partition.
LABEL=/1 / ext3 defaults,acl 1 1
One of the items that must be checked is the /var/log/messages file.. (Or any other log file..)
I use check_logfiles script. But there is a problem with permissions. because script runs under nagios user, it can not check messages log file. So a permission adjustment is needed. I have to give nagios user a permission to read messages file..
I have done this from command line
setfacl u:nagios:rx /var/log/mesages
so problem has finished. by the way, the above command uses ACL (Access control lists) which is enabled by default in linux systems. This is an extension to linux standard user-group-others permission schema. in ACL you can give more granular permissions to users.. For example in above command we give nagios user read and execute permissions on messages file..This is not possible with standard permissions schema..
But the next day my log file checking stopped working.. It gave permission errors. I have investigated the case and found that linux rotates log files. But new log file has created with standard permissions..
In linux /etc/cron.daily directory contains daily scheduled jobs. One is logrotate which is responsible for the new messages file..
It has a main config file /etc/logrotate.conf and for subsystems, it has /etc/logrotate.d directory. /etc/logrotate.d/syslog file includes how new messages file will be created. Here we must add a postrotate command to adjust permissions. the following is my new syslog file. Red part is the added line..
[root@nagios logrotate.d]# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
/usr/bin/setfacl -m u:nagios:rx /var/log/messages
endscript
}
Now, lets force logrotate to create new log files
logrotate –f /etc/logrotate.conf
get the new permissions
[root@nagios ~]# getfacl /var/log/messages
getfacl: Removing leading '/' from absolute path names
# file: var/log/messages
# owner: root
# group: root
user::rw-
user:nagios:r-x
group::r-x
mask::r-x
other::---
It is OK now...
Update 1:
if you get
Operation not supported message in setfacl command, then you have enable acl support for the partition.
- determine on which partition /var/log/messages is located (df -h)
- edit /etc/fstab and add acl parameter to that partiton. e.g
LABEL=/1 / ext3 defaults,acl 1 1
- use
mount -o remount / to activate the new parameter..
Yorumlar
Yorum Gönder