The audit file destination directories for an ASM instance can grow to contain a very large number of files if they are not regularly maintained. Having a very large number of files can cause the file system to run out of free disk space or inodes, or can cause Oracle to run very slowly due to file system directory scaling limits, which can have the appearance that the ASM instance is hanging on startup.
This post explains how to use the Linux syslog facility to manage ASM auditing records so that ASM auditing records are recorded by the operating system syslog facility instead of individual files in the audit_dump_dest directory.
These steps must be performed for the ASM instance on every database server. This document explains how to manage the auditing records for ASM instances only.
Configuration
These steps must be performed for the ASM instance on every database server.
Step 1 – Set ASM initialization parameters AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS
In the ASM initialization file, set parameters AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS to the following values:
AUDIT_SYSLOG_LEVEL='local0.info' AUDIT_SYS_OPERATIONS=TRUE
Step 2 – Configure /etc/syslog.conf for ASM auditing
Configure syslog configuration file /etc/syslog.conf or /etc/rsyslog.conf for ASM auditing by making the following two changes:
1. Add the following line in /etc/syslog.conf or /etc/rsyslog.conf
local0.info /var/log/asmaudit.log
2. To the line that configures logging for /var/log/messages in /etc/syslog.conf, add local0.none. For example:
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
Step 3 – Configure logrotate to manage syslog log files
The Linux logrotate utility is used to manage the size and number of syslog log files for ASM auditing. Create the file /etc/logrotate.d/asmaudit with the following content:
# vi /etc/logrotate.d/asmaudit /var/log/asmaudit.log { weekly rotate 4 compress copytruncate delaycompress notifempty }
Step 4 – Restart ASM instances and syslog service
ASM instances and the syslog service must be restarted for the changes to take effect. An ASM instance is restarted by stopping and starting grid infrastructure by using the “crsctl stop” and “crsctl start” commands. This action requires database instances to shutdown.
# GRID_HOME/grid/bin/crsctl stop cluster # GRID_HOME/grid/bin/crsctl start cluster
To restart the syslog service, run the “service syslog restart” command:
# service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ]
Step 5 – Verify ASM audit records are created in /var/log/asmaudit.log
Verify that a privileged connection to ASM (e.g. SYSDBA or SYSASM connection) result in an entry created in /var/log/asmaudit.log similar to the following:
Oracle Audit[8738]: LENGTH : '142' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[5] 'oracle' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[0]
Troubleshooting
If syslog audit records are recorded in /var/log/messages, then ensure /etc/syslog.conf has been properly configured to add “local0.none” to the /var/log/messages entry.