| Author |
Message
|
| Dread86 |
 Posted: Tue Mar 15, 2016 8:05 pm Post subject: How to Read the MQ Queue manager Error Logs as non-mqm |
 |
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
Hi All,
For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.
But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?
We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Mar 16, 2016 4:38 am Post subject: Re: How to Read the MQ Queue manager Error Logs as non-mqm |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| Dread86 wrote: |
Hi All,
For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.
But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?
We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this? |
AFAIK it's not when updating that the permissions change but on roll over... as mq renames the old logs and creates a new one.
Have you looked into what it would take to change the default umask for the log directory (files created there have a default umask of .... ) ? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 16, 2016 4:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
ln -s
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Mar 16, 2016 3:39 pm Post subject: Re: How to Read the MQ Queue manager Error Logs as non-mqm |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| fjb_saper wrote: |
| Dread86 wrote: |
Hi All,
For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.
But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?
We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this? |
AFAIK it's not when updating that the permissions change but on roll over... as mq renames the old logs and creates a new one.
Have you looked into what it would take to change the default umask for the log directory (files created there have a default umask of .... ) ? |
umask value is already set as 022 where i can have read permissions to read the file as non-mqm user. But Queue manager still updating the log and reverting back to old permissions |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Mar 16, 2016 3:46 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
I tried with ln -s as well. Created a hard link file and changed the permissions as required. But later once the queue manager updates the error logs, the file permissions are gone. |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Mar 16, 2016 4:44 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
sudo could be an option to allow your non-mqm user id to have some limited mqm access to read the error log files.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Mar 16, 2016 4:46 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| tczielke wrote: |
| sudo could be an option to allow your non-mqm user id to have some limited mqm access to read the error log files. |
I didnt understand you. Could you please explain it what should i do with sudo option? |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Mar 16, 2016 6:06 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| umatharani |
| Posted: Wed Mar 16, 2016 6:57 pm Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
There is an option in MQ to retain the file permissions.
Filesystem:
ValidateAuth=No
Add this to qm.ini and then restart the queue manager. The queue manager will retain the permissions(modified) during error logs rollover and queue manager restart.
Thanks,
mahesh |
|
| Back to top |
|
|
| Dread86 |
| Posted: Wed Mar 16, 2016 8:53 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| umatharani wrote: |
There is an option in MQ to retain the file permissions.
Filesystem:
ValidateAuth=No
Add this to qm.ini and then restart the queue manager. The queue manager will retain the permissions(modified) during error logs rollover and queue manager restart.
Thanks,
mahesh |
Hi mahesh,
Thanks for your response.
I have modified the file permission and updated the .ini file accordingly. Later i did a restart of Queue manager, but still i can see queue manager taking its default permissions while error log rollover.
Before the restart, Queue manager writes some data to error log right, at that time permissions on error log are rolled back. May be this is the reason its not working.
Can you pls suggest me the above process is correct? |
|
| Back to top |
|
|
| umatharani |
| Posted: Thu Mar 17, 2016 7:31 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
| What is the MQ version you are using? MQ v8? |
|
| Back to top |
|
|
| Dread86 |
| Posted: Thu Mar 17, 2016 3:39 pm Post subject: |
|
|
Novice
Joined: 15 Mar 2016
Posts: 15
|
| umatharani wrote: |
| What is the MQ version you are using? MQ v8? |
Yes, It's v 8.0 |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 18, 2016 5:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
ln -s
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Mar 18, 2016 5:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can do things with links - as far as I remember - to give them separate permissions from the linked directory.
And mq processes use setuid and setguid on their file system, so that could explain the issue with permissions being "restored".
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 18, 2016 5:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
tried it with ln -s absolutepathtosource absolutepathforlink and I got:
lrwxrwxrwx for the link (created by root)
invoking cat <linkname> returned permission denied as the original file had
-rw------ root:root
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
