Oracle Linux 7使用syslog来管理Oracle ASM的审计文件
使用syslog来管理Oracle ASM的审计文件
如果不对Oracle ASM实例的审计文件目录进行定期维护那么它将会包含大量的审计文件。如果存在大理审计文件可能会造成文件系统耗尽磁盘空间或indoes,或者由于文件系统扩展限制而造成Oracle运行缓慢,还有可能造成Oracle ASM实例在启动时hang住。这里将介绍如何使用Linux syslog工具来管理Oracle ASM审计记录,因此通过使用操作系统的syslog工具来代替单独的audit_dump_dest目录来记录Oracle ASM审计记录。下面将介绍具体的操作,而且这些操作必须对于RAC环境中的每个节点执行。
1.对Oracle ASM实例设置audit_syslog_level与audit_sys_operations参数
SQL>showparameteraudit_sys_NAMETYPEVALUE-----------------------------------------------------------------------------audit_sys_operationsbooleanTRUEaudit_syslog_levelstringSQL>altersystemsetAUDIT_SYSLOG_LEVEL='local0.info'scope=spfilesid='*';Systemaltered.
由于audit_sys_operations参数默认为启用所以不用进行设置了。
2.为Oracle ASM审计配置/etc/syslog.conf
通过执行以下两处改变来对Oracle ASM审计配置syslog的配置文件/etc/syslog.conf或/etc/rsyslog.conf:
2.1在/etc/syslog.conf或/etc/rsyslog.conf文件中增加以下内容
local0.info/var/log/oracle_asm_audit.log
2.2在/etc/syslog.conf或/etc/rsyslog.conf文件中的/var/log/messages这一行增加local0.none,修改后的配置如下:
*.info;mail.none;authpriv.none;cron.none;local0.none/var/log/messages
[root@cs1~]#vi/etc/rsyslog.conf....省略....#Loganything(exceptmail)oflevelinfoorhigher.#Don'tlogprivateauthenticationmessages!*.info;mail.none;authpriv.none;cron.none;local0.none/var/log/messageslocal0.info/var/log/oracle_asm_audit.log[root@cs2~]#vi/etc/rsyslog.conf....省略....#Loganything(exceptmail)oflevelinfoorhigher.#Don'tlogprivateauthenticationmessages!*.info;mail.none;authpriv.none;cron.none;local0.none/var/log/messageslocal0.info/var/log/oracle_asm_audit.log
3.配置logrotate来管理syslog日志文件
Linux的logrotate工具被用来管理Oracle ASM审计的syslog日志文件的大小与数量,创建文件/etc/logrotate.d/oracle_asm_audit,并向文件增加以下内容:
/var/log/oracle_asm_audit.log{weeklyrotate4compresscopytruncatedelaycompressnotifempty}
[root@cs1~]#cd/etc/logrotate.d/[root@cs1logrotate.d]#pwd/etc/logrotate.d[root@cs1logrotate.d]#vioracle_asm_audit/var/log/oracle_asm_audit.log{weeklyrotate4compresscopytruncatedelaycompressnotifempty}[root@cs2~]#cd/etc/logrotate.d/[root@cs1logrotate.d]#pwd/etc/logrotate.d[root@cs1logrotate.d]#vioracle_asm_audit/var/log/oracle_asm_audit.log{weeklyrotate4compresscopytruncatedelaycompressnotifempty}
4.重启Oracle ASM实例与rsyslog服务
为了使用这些改变生效必须重启Oracle ASM实例与rsyslog服务。可以使用crsctl stop cluster -all与crsctl start cluster -all在任何一个RAC节点上执行来重启Oracle ASM实例,这个操作会将数据库实例也关闭。
[root@cs1bin]#/u01/app/product/12.2.0/crs/bin/crsctlstopcluster-allCRS-2673:Attemptingtostop'ora.crsd'on'cs1'CRS-2673:Attemptingtostop'ora.crsd'on'cs2'CRS-2790:StartingshutdownofClusterReadyServices-managedresourcesonserver'cs2'CRS-2673:Attemptingtostop'ora.chad'on'cs2'CRS-2790:StartingshutdownofClusterReadyServices-managedresourcesonserver'cs1'CRS-2673:Attemptingtostop'ora.cs.db'on'cs2'CRS-2673:Attemptingtostop'ora.cs.db'on'cs1'CRS-2673:Attemptingtostop'ora.qosmserver'on'cs1'CRS-2673:Attemptingtostop'ora.gns'on'cs1'CRS-2677:Stopof'ora.gns'on'cs1'succeededCRS-2677:Stopof'ora.cs.db'on'cs2'succeededCRS-2673:Attemptingtostop'ora.CRS.dg'on'cs2'CRS-2673:Attemptingtostop'ora.DATA.dg'on'cs2'CRS-2673:Attemptingtostop'ora.LISTENER.lsnr'on'cs2'CRS-2673:Attemptingtostop'ora.LISTENER_SCAN1.lsnr'on'cs2'CRS-2677:Stopof'ora.CRS.dg'on'cs2'succeededCRS-2677:Stopof'ora.DATA.dg'on'cs2'succeededCRS-2673:Attemptingtostop'ora.asm'on'cs2'CRS-2677:Stopof'ora.LISTENER.lsnr'on'cs2'succeededCRS-2673:Attemptingtostop'ora.cs2.vip'on'cs2'CRS-2673:Attemptingtostop'ora.chad'on'cs1'CRS-2677:Stopof'ora.chad'on'cs2'succeededCRS-2677:Stopof'ora.LISTENER_SCAN1.lsnr'on'cs2'succeededCRS-2673:Attemptingtostop'ora.scan1.vip'on'cs2'CRS-2677:Stopof'ora.cs.db'on'cs1'succeededCRS-2673:Attemptingtostop'ora.LISTENER.lsnr'on'cs1'CRS-2673:Attemptingtostop'ora.LISTENER_SCAN2.lsnr'on'cs1'CRS-2673:Attemptingtostop'ora.LISTENER_SCAN3.lsnr'on'cs1'CRS-2673:Attemptingtostop'ora.cvu'on'cs1'CRS-2673:Attemptingtostop'ora.gns.vip'on'cs1'CRS-2677:Stopof'ora.LISTENER.lsnr'on'cs1'succeededCRS-2677:Stopof'ora.LISTENER_SCAN2.lsnr'on'cs1'succeededCRS-2673:Attemptingtostop'ora.scan2.vip'on'cs1'CRS-2677:Stopof'ora.LISTENER_SCAN3.lsnr'on'cs1'succeededCRS-2673:Attemptingtostop'ora.scan3.vip'on'cs1'CRS-2677:Stopof'ora.asm'on'cs2'succeededCRS-2673:Attemptingtostop'ora.ASMNET1LSNR_ASM.lsnr'on'cs2'CRS-2677:Stopof'ora.cs2.vip'on'cs2'succeededCRS-2677:Stopof'ora.gns.vip'on'cs1'succeededCRS-2677:Stopof'ora.scan1.vip'on'cs2'succeededCRS-2677:Stopof'ora.scan3.vip'on'cs1'succeededCRS-2677:Stopof'ora.ASMNET1LSNR_ASM.lsnr'on'cs2'succeededCRS-2673:Attemptingtostop'ora.ons'on'cs2'CRS-2677:Stopof'ora.scan2.vip'on'cs1'succeededCRS-2677:Stopof'ora.ons'on'cs2'succeededCRS-2673:Attemptingtostop'ora.net1.network'on'cs2'CRS-2677:Stopof'ora.net1.network'on'cs2'succeededCRS-2792:ShutdownofClusterReadyServices-managedresourceson'cs2'hascompletedCRS-2677:Stopof'ora.chad'on'cs1'succeededCRS-2673:Attemptingtostop'ora.mgmtdb'on'cs1'CRS-2677:Stopof'ora.crsd'on'cs2'succeededCRS-2673:Attemptingtostop'ora.ctssd'on'cs2'CRS-2673:Attemptingtostop'ora.evmd'on'cs2'CRS-2673:Attemptingtostop'ora.storage'on'cs2'CRS-2677:Stopof'ora.cvu'on'cs1'succeededCRS-2677:Stopof'ora.storage'on'cs2'succeededCRS-2673:Attemptingtostop'ora.asm'on'cs2'CRS-2677:Stopof'ora.ctssd'on'cs2'succeededCRS-2677:Stopof'ora.mgmtdb'on'cs1'succeededCRS-2673:Attemptingtostop'ora.MGMTLSNR'on'cs1'CRS-2673:Attemptingtostop'ora.CRS.dg'on'cs1'CRS-2673:Attemptingtostop'ora.DATA.dg'on'cs1'CRS-2677:Stopof'ora.CRS.dg'on'cs1'succeededCRS-2677:Stopof'ora.DATA.dg'on'cs1'succeededCRS-2673:Attemptingtostop'ora.asm'on'cs1'CRS-2677:Stopof'ora.evmd'on'cs2'succeededCRS-2677:Stopof'ora.qosmserver'on'cs1'succeededCRS-2677:Stopof'ora.MGMTLSNR'on'cs1'succeededCRS-2673:Attemptingtostop'ora.cs1.vip'on'cs1'CRS-2677:Stopof'ora.cs1.vip'on'cs1'succeededCRS-2677:Stopof'ora.asm'on'cs2'succeededCRS-2673:Attemptingtostop'ora.cluster_interconnect.haip'on'cs2'CRS-2677:Stopof'ora.cluster_interconnect.haip'on'cs2'succeededCRS-2673:Attemptingtostop'ora.cssd'on'cs2'CRS-2677:Stopof'ora.cssd'on'cs2'succeededCRS-2677:Stopof'ora.asm'on'cs1'succeededCRS-2673:Attemptingtostop'ora.ASMNET1LSNR_ASM.lsnr'on'cs1'CRS-2677:Stopof'ora.ASMNET1LSNR_ASM.lsnr'on'cs1'succeededCRS-2673:Attemptingtostop'ora.ons'on'cs1'CRS-2677:Stopof'ora.ons'on'cs1'succeededCRS-2673:Attemptingtostop'ora.net1.network'on'cs1'CRS-2677:Stopof'ora.net1.network'on'cs1'succeededCRS-2792:ShutdownofClusterReadyServices-managedresourceson'cs1'hascompletedCRS-2677:Stopof'ora.crsd'on'cs1'succeededCRS-2673:Attemptingtostop'ora.ctssd'on'cs1'CRS-2673:Attemptingtostop'ora.evmd'on'cs1'CRS-2673:Attemptingtostop'ora.storage'on'cs1'CRS-2677:Stopof'ora.storage'on'cs1'succeededCRS-2673:Attemptingtostop'ora.asm'on'cs1'CRS-2677:Stopof'ora.evmd'on'cs1'succeededCRS-2677:Stopof'ora.ctssd'on'cs1'succeededCRS-2677:Stopof'ora.asm'on'cs1'succeededCRS-2673:Attemptingtostop'ora.cluster_interconnect.haip'on'cs1'CRS-2677:Stopof'ora.cluster_interconnect.haip'on'cs1'succeededCRS-2673:Attemptingtostop'ora.cssd'on'cs1'CRS-2677:Stopof'ora.cssd'on'cs1'succeeded[root@cs1bin]#/u01/app/product/12.2.0/crs/bin/crsctlstartcluster-allCRS-2672:Attemptingtostart'ora.cssdmonitor'on'cs1'CRS-2672:Attemptingtostart'ora.evmd'on'cs1'CRS-2672:Attemptingtostart'ora.evmd'on'cs2'CRS-2672:Attemptingtostart'ora.cssdmonitor'on'cs2'CRS-2676:Startof'ora.cssdmonitor'on'cs2'succeededCRS-2672:Attemptingtostart'ora.cssd'on'cs2'CRS-2672:Attemptingtostart'ora.diskmon'on'cs2'CRS-2676:Startof'ora.cssdmonitor'on'cs1'succeededCRS-2672:Attemptingtostart'ora.cssd'on'cs1'CRS-2672:Attemptingtostart'ora.diskmon'on'cs1'CRS-2676:Startof'ora.diskmon'on'cs1'succeededCRS-2676:Startof'ora.evmd'on'cs1'succeededCRS-2676:Startof'ora.diskmon'on'cs2'succeededCRS-2676:Startof'ora.evmd'on'cs2'succeededCRS-2676:Startof'ora.cssd'on'cs2'succeededCRS-2672:Attemptingtostart'ora.ctssd'on'cs2'CRS-2672:Attemptingtostart'ora.cluster_interconnect.haip'on'cs2'CRS-2676:Startof'ora.cssd'on'cs1'succeededCRS-2672:Attemptingtostart'ora.ctssd'on'cs1'CRS-2672:Attemptingtostart'ora.cluster_interconnect.haip'on'cs1'CRS-2676:Startof'ora.ctssd'on'cs2'succeededCRS-2676:Startof'ora.ctssd'on'cs1'succeededCRS-2676:Startof'ora.cluster_interconnect.haip'on'cs1'succeededCRS-2672:Attemptingtostart'ora.asm'on'cs1'CRS-2676:Startof'ora.cluster_interconnect.haip'on'cs2'succeededCRS-2672:Attemptingtostart'ora.asm'on'cs2'CRS-2676:Startof'ora.asm'on'cs2'succeededCRS-2672:Attemptingtostart'ora.storage'on'cs2'CRS-2676:Startof'ora.asm'on'cs1'succeededCRS-2672:Attemptingtostart'ora.storage'on'cs1'CRS-2676:Startof'ora.storage'on'cs1'succeededCRS-2672:Attemptingtostart'ora.crsd'on'cs1'CRS-2676:Startof'ora.crsd'on'cs1'succeededCRS-2676:Startof'ora.storage'on'cs2'succeededCRS-2672:Attemptingtostart'ora.crsd'on'cs2'CRS-2676:Startof'ora.crsd'on'cs2'succeeded
执行service rsyslog restart命令来重启rsyslog服务
[root@cs1bin]#servicersyslogrestartRedirectingto/bin/systemctlrestartrsyslog.service[root@cs1bin]#servicersyslogstatusRedirectingto/bin/systemctlstatusrsyslog.servicersyslog.service-SystemLoggingServiceLoaded:loaded(/usr/lib/systemd/system/rsyslog.service;enabled)Active:active(running)sinceWed2018-08-0115:13:22CST;12sagoMainPID:23011(rsyslogd)CGroup:/system.slice/rsyslog.service鈹斺攢23011/usr/sbin/rsyslogd-nAug0115:13:22cs1.jy.netsystemd[1]:StartedSystemLoggingService.[root@cs2logrotate.d]#servicersyslogrestartRedirectingto/bin/systemctlrestartrsyslog.service[root@cs2logrotate.d]#servicersyslogstatusRedirectingto/bin/systemctlstatusrsyslog.servicersyslog.service-SystemLoggingServiceLoaded:loaded(/usr/lib/systemd/system/rsyslog.service;enabled)Active:active(running)sinceWed2018-08-0115:13:54CST;7sagoMainPID:9809(rsyslogd)CGroup:/system.slice/rsyslog.service鈹斺攢9809/usr/sbin/rsyslogd-nAug0115:13:54cs2.jy.netsystemd[1]:StartedSystemLoggingService.
5.验证Oracle ASM审计记录是否被记录到/var/log/oracle_asm_audit.log中
[root@cs1bin]#tail-f/var/log/oracle_asm_audit.logAug115:13:46cs1journal:OracleAudit[23601]:LENGTH:'317'ACTION:[80]'begindbms_diskgroup.close(:handle);exceptionwhenothersthenraise;end;Aug115:13:48cs1journal:OracleAudit[23610]:LENGTH:'244'ACTION:[7]'CONNECT'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSDBA'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[0]''SESSIONID:[10]'4294967295'USERHOST:[10]'cs1.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[3]'100'Aug115:13:50cs1journal:OracleAudit[23654]:LENGTH:'244'ACTION:[7]'CONNECT'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSDBA'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[0]''SESSIONID:[10]'4294967295'USERHOST:[10]'cs1.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[3]'100'Aug115:13:50cs1journal:OracleAudit[23654]:LENGTH:'494'ACTION:[257]'selectname_kfgrp,number_kfgrp,incarn_kfgrp,compat_kfgrp,dbcompat_kfgrp,state_kfgrp,flags32_kfgrp,type_kfgrp,refcnt_kfgrp,sector_kfgrp,blksize_kfgrp,ausize_kfgrp,totmb_kfgrp,freemb_kfgrp,coldmb_kfgrp,hotmb_kfgrp,minspc_kfgrp,usable_kfgrp,'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSDBA'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[0]''SESSIONID:[10]'4294967295'USERHOST:[10]'cs1.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[1]'3'Aug115:13:50cs1journal:OracleAudit[23654]:LENGTH:'308'ACTION:[071]'offline_kfgrp,lflags_kfgrp,logical_sector_kfgrpfromx$kfgrp_statAug115:13:55cs1journal:OracleAudit[23681]:LENGTH:'244'ACTION:[7]'CONNECT'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSDBA'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[0]''SESSIONID:[10]'4294967295'USERHOST:[10]'cs1.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[3]'100'Aug115:13:56cs1journal:OracleAudit[23681]:LENGTH:'370'ACTION:[132]'begindbms_diskgroup.openpwfile(:NAME,:lblksize,:fsz,:handle,:pblksz,:fmode,:genfname);exceptionwhenothersthenraise;end;Aug115:13:56cs1journal:OracleAudit[23681]:LENGTH:'355'ACTION:[117]'begindbms_diskgroup.read(:handle,:offset,:length,:buffer,:reason,:mirr);exceptionwhenothersthenraise;end;Aug115:13:56cs1journal:OracleAudit[23681]:LENGTH:'355'ACTION:[117]'begindbms_diskgroup.read(:handle,:offset,:length,:buffer,:reason,:mirr);exceptionwhenothersthenraise;end;Aug115:13:56cs1journal:OracleAudit[23681]:LENGTH:'317'ACTION:[80]'begindbms_diskgroup.close(:handle);exceptionwhenothersthenraise;end;[root@cs2logrotate.d]#tail-f/var/log/oracle_asm_audit.logAug115:14:46cs2journal:OracleAudit[9928]:LENGTH:'299'ACTION:[51]'BEGINDBMS_SESSION.USE_DEFAULT_EDITION_ALWAYS;END;'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[2]'47'Aug115:14:46cs2journal:OracleAudit[9928]:LENGTH:'287'ACTION:[39]'ALTERSESSIONSET"_notify_crs"=false'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[2]'42'Aug115:14:46cs2journal:OracleAudit[9926]:LENGTH:'287'ACTION:[39]'ALTERSESSIONSET"_notify_crs"=false'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[2]'42'Aug115:14:47cs2journal:OracleAudit[9928]:LENGTH:'292'ACTION:[45]'SELECTvalueFROMv$parameterWHEREname=:1'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[1]'3'Aug115:14:47cs2journal:OracleAudit[9928]:LENGTH:'292'ACTION:[45]'SELECTvalueFROMv$parameterWHEREname=:1'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[1]'3'Aug115:14:47cs2journal:OracleAudit[9928]:LENGTH:'292'ACTION:[45]'SELECTvalueFROMv$parameterWHEREname=:1'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[1]'3'Aug115:14:47cs2journal:OracleAudit[9928]:LENGTH:'292'ACTION:[45]'SELECTvalueFROMv$parameterWHEREname=:1'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSRAC'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[10]'1386528187'SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[1]'3'Aug115:15:01cs2journal:OracleAudit[9944]:LENGTH:'244'ACTION:[7]'CONNECT'DATABASEUSER:[1]'/'PRIVILEGE:[6]'SYSDBA'CLIENTUSER:[6]'oracle'CLIENTTERMINAL:[0]''STATUS:[1]'0'DBID:[0]''SESSIONID:[10]'4294967295'USERHOST:[10]'cs2.jy.net'CLIENTADDRESS:[0]''ACTIONNUMBER:[3]'100'
可以看到Oracle ASM审计记录已经被记录到了/var/log/oracle_asm_audit.log文件中。
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。
