Set Up Continuous Log Collection From Your Hosts

To continuously collect log data from your entities, install the Management Agent on your host. Before that, ensure that you have completed the prerequisite tasks for using the Management Agents.

Topics:

Permission Required for Setting Up Continuous Log Collection

When you perform the prerequisites for deploying Management Agents in the step Install Management Agents, you will create the required compartment, user group for Logging Analytics users, and create IAM policies to install the Management Agents. As part of the prerequisites, ensure that the following policies are created for your user group:

ALLOW GROUP Logging-Analytics-User-Group TO MANAGE management-agents IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group to MANAGE management-agent-install-keys IN TENANCY
ALLOW GROUP Logging-Analytics-User-Group TO READ METRICS IN COMPARTMENT <compartment_name>
ALLOW GROUP Logging-Analytics-User-Group TO READ USERS IN TENANCY

In the above example policy statements, Logging-Analytics-User-Group is an example user group.

Also, create a dynamic group for the Management Agents if it already doesn't exist, for example Management-Agent-Dynamic-Group:

ALL {resource.type='managementagent', resource.compartment.id='<management_agent_compartment_OCID>'}

Create IAM policies for Management-Agent-Dynamic-Group to enable log collection and metrics generation:

ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO USE METRICS IN TENANCY
ALLOW DYNAMIC-GROUP Management-Agent-Dynamic-Group TO {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN TENANCY

Grant READ Access of the Logs to the Agent User on Your Host

While deploying the management agents for using Oracle Cloud Logging Analytics on UNIX-based hosts, ensure that the management agent has the correct privileges to read the log files from where data has to be collected.

You can use one of the following ways (in order of best practice) to make the log files readable to the management agent:

  • Use Access Control Lists (ACLs) to enable the cloud agent user to read the log file path and log files. An ACL provides a flexible permission mechanism for file systems. Ensure that the full path to the log files is readable through the ACL.

    To set up an ACL in a UNIX-based host:

    1. Determine whether the system that contains the log files has the acl package:

      rpm -q acl

      If the system contains the acl package, then the previous command should return:

      acl-2.2.39-8.el5

      If the system doesn’t have the acl package, then download and install the package.

    2. Grant the management agent user READ access to the required log file:

      setfacl -m u:<agentuser>:r <path to the log file/log file name>

      Grant the cloud agent user READ access to the leading path or folders by running the following command:

      setfacl -R -m u:<agentuser>:r <path to the parent folder of the log file>
  • Place the management agent and the product that generates the logs in the same user group, and make the files readable to the entire group. Restart the agent.

  • Make the log files readable to all users. For example, chmod o+r <file>.

    You may have to give executable permission to the parent folders. For example, chmod o+rx <parent folder>.

Install Management Agents

See Oracle Management Agents Documentation to complete the following tasks:

  • Perform prerequisites for deploying Management Agents

  • Install Management Agent

After you install the Management Agent, complete the following Logging Analytics specific tasks to start the log collection:

Note

The management agent connects to the following endpoints for Oracle Cloud Logging Analytics operations:
  • Upload the logs and log collection warning:
    https://loganalytics.<region>.oci.oraclecloud.com/<additional_part_pertaining_to_the_operation>
  • Metrics:
    https://telemetry-ingestion.<region>.oraclecloud.com/<additional_part_pertaining_to_the_operation>

In the above endpoints, region is the identifier for your region, for example, us-ashburn-1.

Monitor Your Continuous Log Collection

After you complete the set up for continuous log collection, the Management Agent installed on your host emits information about the size of log data that it is uploading to Logging Analytics and errors encountered, if any.

This data is displayed for each log source with the following agent log collection metrics:

  • Agent Data Upload Size (logCollectionUploadDataSize): The size of the log data collected through the Management Agent for each log source.

  • Agent Data Upload Errors (logCollectionUploadFailureCount): The count of errors occurred for each log source during the log collection and the type of errors.

To access the Agent Data Upload Size and Agent Data Upload Errors metrics, see Monitor Logging Analytics Using Service Metrics.

To modify the filters applied on the metrics data, you can view the metrics in the metrics explorer and change the metrics dimensions:

  1. Click the Options menu on the top right corner of the agent log collection metric, and select View in Metric Explorer.

    The metric is now displayed in the Metrics Explorer. Here, you can view the chart in finer detail.

  2. Click Edit Queries and select Dimension Name and Dimension Value for the metric. For example, if you want to view the upload data size for a specific host host123, then select the metric name logCollectionUploadDataSize, dimension name as agentHostName and the dimension value as host123.

    Click Update Chart to refresh the chart visualization. The chart will now display only the upload data size for the specified host.

    Similarly, if you want to view the number of upload errors encountered of the type LogGroupPolicyError, then select the metric name logCollectionUploadFailureCount, dimension name as errorCode and the dimension value as LogGroupPolicyError.

    Click Update Chart to refresh the chart visualization. The chart will now display the count of upload errors of the specified type for the specified period.

    You can switch to the Data Table view for a tabular representation of the data points in the metrics.

Following are the dimensions available to filter the metric data:

Dimension Metrics Details
agentHostName logCollectionUploadDataSize, logCollectionUploadFailureCount

The name of the host on which Management Agent is installed

logGroup logCollectionUploadDataSize, logCollectionUploadFailureCount

The log group in which the log collection happens

logSourceType logCollectionUploadDataSize, logCollectionUploadFailureCount

The log source type, which can be

  • File
  • Syslog Listener
  • Database
  • Windows Event System
  • Oracle Diagnostic Log (ODL)
resourceId logCollectionUploadDataSize, logCollectionUploadFailureCount

The OCID of the Management Agent

errorCode logCollectionUploadFailureCount

The error reported by the Management Agent

Following are the various types of errors reported by the Management Agent in the logCollectionUploadFailureCount metric for the dimension errorCode:

Error Type Description Recommended Fix

LogGroupPolicyError

Occurs due to authorization failure during log upload. This is caused by incorrect IAM policies.

HTTP status code: 404

Check the IAM policies you created for enabling continuous log collection and verify that the required permissions are given. See Permission Required for Setting Up Continuous Log Collection.

InvalidParameter

Occurs when the Management Agent sends request with incorrect parameters.

HTTP status code: 400

Contact Oracle Support with the Error Type information.

NotAuthenticated

Occurs when the Management Agent sends request with incorrect signature.

HTTP status code: 401

RequestEntityTooLarge

Occurs when the Management Agent sends request with a payload which is larger than expected.

HTTP status code: 413

TooManyRequests

Occurs when the Management Agent sends requests which are more in number than what is defined in the endpoint configuration.

HTTP status code: 429

InternalError

Occurs when an unexpected exception crops up in the Management Agent.

HTTP status code: 500

HTTP Error Code <error code>

All other unexpected error codes returned on the log upload endpoint.

For the actions that you can perform with each metric, see Actions for Service Metrics.