Oracle Cloud Infrastructure Documentation

Grant READ Access of the Logs to the Agent User on Your Host

While deploying the management agents for using Oracle Log Analytics on UNIX-based hosts, ensure that the management agent has the correct privileges to read the log files from where data has to be collected.

Note

On Unix-based hosts, the user that installs management agent is mgmt_agent for the manually installed management agent, and oracle-cloud-agent when the management agent is a plugin enabled with Oracle Cloud Agent.

Check the file permission for the log file and each folder in the file path with the management agent user: If your log file is located at /a/b/c/file.log, then you must verify the read permission for the log file file.log as well as the folders a, b, and c in the file path. 

sudo -u <agentuser> /bin/bash -c "ls /a"
sudo -u <agentuser> /bin/bash -c "ls /a/b"
sudo -u <agentuser> /bin/bash -c "ls /a/b/c"
sudo -u <agentuser> /bin/bash -c "tail /a/b/c/file.log"

If the management agent user cannot read the log files, then use one of the following methods (in the order of best practice) to make the log files readable to the management agent. It is recommended that you try each method in the order listed, and check if the access is available before trying the next one.

  • Use Access Control Lists (ACLs) to enable the cloud agent user to read the log file path and log files. An ACL provides a flexible permission mechanism for file systems. Ensure that the full path to the log files is readable through the ACL.

    To set up an ACL in a UNIX-based host:

    Determine whether the system that contains the log files has the acl package: 

    rpm -q acl

    If the system contains the acl package, then the previous command should return something like: 

    acl-2.2.39-8.el5

    If the system doesn’t have the acl package, then download and install the package.

  • Run the following setfacl commands:

    Note

    First, check for the existing permissions and add to them, if necessary. Make sure that the changes do not impact the existing ones.

    • Grant the management agent user READ access to the required log file:

      setfacl -m u:<agentuser>:r <path to the log file/log file name>

    • Grant the READ and EXECUTE permissions to each folder in the log file path:

      //set read, execute permissions on folders other than parent folder
setfacl -m u:<agentuser>:rx <path to the folder>

//set read, execute permissions with recursive options on parent folder
setfacl -R -m u:<agentuser>:rx <path to the folder> 

//set read, execute permissions with default option to allow all future log files created under this folder to be readable.
setfacl -d -m u:<agentuser>:rx <path to the folder>

      For example, the following commands are needed for the path /scratch/logs/*.log for the management agent user mgmt_agent: 

      setfacl -m u:mgmt_agent:rx /scratch
setfacl -R -m u:mgmt_agent:rx /scratch/logs
setfacl -d -m u:mgmt_agent:rx /scratch/logs

    For nfs mount, it may not be possible to give READ and EXECUTE permission to the agent user to read the log files or folders. In such cases, add the agent user to the log file group: 

    usermod -a -G <group of log file> <agentuser>

    Restart the management agent after running the above command.

  • Place the management agent and the product that generates the logs in the same user group, and make the files readable to the entire group. Restart the agent.

  • Make the log files readable to all users. For example, chmod o+r <file>.

    You may have to give executable permission to the parent folders. For example, chmod o+rx <parent folder>.