1. Administrator's Guide
  2. Managing Recovery Appliance
  3. Securing the Operations of the Recovery Appliance
  4. Remote Handling of Recovery Appliance System Logs

Remote Handling of Recovery Appliance System Logs

As part of efficient management of the Recovery Appliance, it can be beneficial to export the system log files automatically to one or more remote servers for status monitoring and review.

The Recovery Appliance log files that are sent include:

  • /var/log/audit/audit.log
  • /var/log/messages
  • /var/log/cerberus/access-updater/application.log
  • /var/log/cerberus/access-updater/cron.log
  • /var/log/oracle/deploy/dbmcli.lst.root.0
  • /var/log/aide/aide.log
  • /etc/passwd
  • /var/log/yum.log
  • /var/log/clamav/clamscan.log
  • /var/log/secure
  • /opt/oracle.RecoveryAppliance/log/ra_export.log
  • /opt/oracle.RecoveryAppliance/log/em_backup.log
  • /opt/oracle.RecoveryAppliance/log/ra_fs_cleanup.log
  • /opt/oracle.RecoveryAppliance/log/emctl.log
  • /opt/oracle.RecoveryAppliance/log/racli_update_parameter.log
  • /opt/oracle.RecoveryAppliance/log/racli_alter_parameter.log
  • /opt/oracle.RecoveryAppliance/log/racli_list_parameter.log

To Create a Configuration File for a Remote Receiver

The command racli add remote_syslog creates a configuration file in /etc/rsyslog.d/ from the arguments passed in: 

racli add remote_syslog --dest=<desturl> --port=<destPort> --config_name=<yourConfig>
  • --dest=<desturl> defines the IP address of the (remote) destination to receive this Recovery Appliance's system logs.
  • --port=<destPort> defines the port on the (remote) destination to receive this Recovery Appliance's system logs.
  • --config_name=<yourConfig> defines a meaningful name to the organization, like fleet01_remote_central. 
racli add remote_syslog --dest=100.104.102.184 --port=514 --config_name=fleet1_test02:
 
Created log /opt/oracle.RecoveryAppliance/log/racli_add_remote_syslog.log
Mon Apr 11 09:17:41 2022: Start: Configure Sys Log to 100.104.102.184
Mon Apr 11 09:17:41 2022:   Start: On Local Node zdlra10adm01
Mon Apr 11 09:17:41 2022:       Start: Restart rsyslog
Mon Apr 11 09:17:41 2022:       End: Restart rsyslog
Mon Apr 11 09:17:41 2022:   End: On Local Node zdlra10adm01
Mon Apr 11 09:17:42 2022:   Start: On Remote Node zdlra10adm02
Mon Apr 11 09:17:43 2022:   End: On Remote Node zdlra10adm02
Mon Apr 11 09:17:43 2022: End: Configure Sys Log to 100.104.102.184

To View the Remote Receivers

The command racli list remote_syslog lists all the configuration files, or a specific one, from the /etc/rsyslog.d/ directory. 

racli list remote_syslog --config_name=fleet1_test01: 

syslog_fleet1_test01:
    NAME = fleet1_test01
    CONFIG_FILE = /etc/rsyslog.d/fleet1_test01.conf

To Remove the Remote Receivers

The command racli remove remote_syslog removes a named configuration file from the /etc/rsyslog.d/ directory. 

racli remove remote_syslog --config_name='fleet1_test01'

Created log /opt/oracle.RecoveryAppliance/log/racli_remove_remote_syslog.logMon Apr
1109:17:582022: Start: Remove Sys Log
fleet1_test01
Mon Apr 1109:17:582022:   Start: On Local Node zdlra10adm01
Mon Apr 1109:17:582022:       Removed: Sys Log fleet1_test01.conf
Mon Apr 1109:17:582022:       Removed: Metadata of syslog_fleet1_test01
Mon Apr 1109:17:582022:       Start: Restart rsyslog
Mon Apr 1109:17:582022:       End: Restart rsyslog
Mon Apr 1109:17:582022:   End: On Local Node zdlra10adm01
Mon Apr 1109:17:582022:   Start: On Remote Node zdlra10adm02
Mon Apr 1109:18:002022:   End: On Remote Node zdlra10adm02
Mon Apr 1109:18:002022: End: Remove Sys Log fleet1_test01

To Configure the Syslog Server or Fleet Manager

The external and separate syslog or fleet server needs to be configured to receive the Recovery Appliance log files.

  • Each config file can accept one (1) destination only.

  • The location of the config file is: /etc/rsyslog.d/

  • Location set for logs: /var/odo/hostsyslogs/

  • Naming convention on the log files: %PROGRAMNAME%_%HOSTNAME%_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log

Example of .conf file under /etc/rsyslog.d

##########REMOTE SYSLOG#################
 
  $ModLoad imfile
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/aide/aide.log
    $InputFileTag aide:
    $InputFileStateFile stat-aide
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'aide' then @@100.104.102.184:514
    if $programname == 'aide' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/audit/audit.log
    $InputFileTag audit:
    $InputFileStateFile stat-audit
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'audit' then @@100.104.102.184:514
    if $programname == 'audit' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/cerberus/access-updater/application.log
    $InputFileTag cerberus-appl:
    $InputFileStateFile stat-cerberus-appl
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'cerberus-appl' then @@100.104.102.184:514
    if $programname == 'cerberus-appl' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/cerberus/access-updater/cron.log
    $InputFileTag cerberus-cron:
    $InputFileStateFile stat-cerberus-cron
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'cerberus-cron' then @@100.104.102.184:514
    if $programname == 'cerberus-cron' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/clamav/clamscan.log
    $InputFileTag clamav:
    $InputFileStateFile stat-clamav
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'clamav' then @@100.104.102.184:514
    if $programname == 'clamav' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/oracle/deploy/dbmcli.lst.root.0
    $InputFileTag dbmcli:
    $InputFileStateFile stat-dbmcli
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'dbmcli' then @@100.104.102.184:514
    if $programname == 'dbmcli' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/em_backup.log
    $InputFileTag em-backup:
    $InputFileStateFile stat-em-backup
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'em-backup' then @@100.104.102.184:514
    if $programname == 'em-backup' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/emctl.log
    $InputFileTag emctl:
    $InputFileStateFile stat-emctl
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'emctl' then @@100.104.102.184:514
    if $programname == 'emctl' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/messages
    $InputFileTag messages:
    $InputFileStateFile stat-messages
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'messages' then @@100.104.102.184:514
    if $programname == 'messages' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /etc/passwd
    $InputFileTag passwd:
    $InputFileStateFile stat-passwd
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'passwd' then @@100.104.102.184:514
    if $programname == 'passwd' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/ra_export.log
    $InputFileTag ra-export:
    $InputFileStateFile stat-ra-export
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'ra-export' then @@100.104.102.184:514
    if $programname == 'ra-export' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/ra_fs_cleanup.log
    $InputFileTag ra-fs-cleanup:
    $InputFileStateFile stat-ra-fs-cleanup
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'ra-fs-cleanup' then @@100.104.102.184:514
    if $programname == 'ra-fs-cleanup' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_alter_parameter.log
    $InputFileTag racli-alter-parameter:
    $InputFileStateFile stat-racli-alter-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-alter-parameter' then @@100.104.102.184:514
    if $programname == 'racli-alter-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_list_parameter.log
    $InputFileTag racli-list-parameter:
    $InputFileStateFile stat-racli-list-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-list-parameter' then @@100.104.102.184:514
    if $programname == 'racli-list-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /opt/oracle.RecoveryAppliance/log/racli_update_parameter.log
    $InputFileTag racli-update-parameter:
    $InputFileStateFile stat-racli-update-parameter
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'racli-update-parameter' then @@100.104.102.184:514
    if $programname == 'racli-update-parameter' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/secure
    $InputFileTag secure:
    $InputFileStateFile stat-secure
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'secure' then @@100.104.102.184:514
    if $programname == 'secure' then stop
 
    ####################
    $InputFilePollInterval 180
    $InputFileName /var/log/yum.log
    $InputFileTag yum:
    $InputFileStateFile stat-yum
    $InputFileSeverity Info
    $InputRunFileMonitor
 
    if $programname == 'yum' then @@100.104.102.184:514
    if $programname == 'yum' then stop
 
########################################