ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » How to Read the MQ Queue manager Error Logs as non-mqm

Post new topic  Reply to topic Goto page 1, 2  Next
 How to Read the MQ Queue manager Error Logs as non-mqm « View previous topic :: View next topic » 
Author Message
Dread86
PostPosted: Tue Mar 15, 2016 8:05 pm    Post subject: How to Read the MQ Queue manager Error Logs as non-mqm Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

Hi All,

For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.

But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?

We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Mar 16, 2016 4:38 am    Post subject: Re: How to Read the MQ Queue manager Error Logs as non-mqm Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Dread86 wrote:
Hi All,

For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.

But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?

We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this?

AFAIK it's not when updating that the permissions change but on roll over... as mq renames the old logs and creates a new one.
Have you looked into what it would take to change the default umask for the log directory (files created there have a default umask of .... ) ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Wed Mar 16, 2016 4:40 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

ln -s
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Dread86
PostPosted: Wed Mar 16, 2016 3:39 pm    Post subject: Re: How to Read the MQ Queue manager Error Logs as non-mqm Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

fjb_saper wrote:
Dread86 wrote:
Hi All,

For monitoring the Queue manager error logs present under /var/opt/app/mq1/MQHA/qmgrs/*/errors/AMQERR01.LOG we had written a script to read the logs and send them to the monitoring tool. The script/program which does this should not be in "mqm" group. Definitely the permission category should fall as "other". So accordingly we have given the read permissions to the error log file.

But later we came to know that queue manager will revert back its permission to the original ones while updating the error log files. Do we have any solution for us to constantly read the error logs with "non-mqm" user permissions irrespective of the queue manager error file updates?

We also don't want that user who runs the script to be added as user of mqm group.
Most of you guys might had faced this problem, please could you help me in resolving this?

AFAIK it's not when updating that the permissions change but on roll over... as mq renames the old logs and creates a new one.
Have you looked into what it would take to change the default umask for the log directory (files created there have a default umask of .... ) ?

umask value is already set as 022 where i can have read permissions to read the file as non-mqm user. But Queue manager still updating the log and reverting back to old permissions
Back to top
View user's profile Send private message
Dread86
PostPosted: Wed Mar 16, 2016 3:46 pm    Post subject: Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

mqjeff wrote:
ln -s

I tried with ln -s as well. Created a hard link file and changed the permissions as required. But later once the queue manager updates the error logs, the file permissions are gone.
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Mar 16, 2016 4:44 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

sudo could be an option to allow your non-mqm user id to have some limited mqm access to read the error log files.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Dread86
PostPosted: Wed Mar 16, 2016 4:46 pm    Post subject: Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

tczielke wrote:
sudo could be an option to allow your non-mqm user id to have some limited mqm access to read the error log files.
I didnt understand you. Could you please explain it what should i do with sudo option?
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Mar 16, 2016 6:06 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

It would be best to research what you can do with sudo. Below is one link.

http://www.tutorialspoint.com/unix_commands/sudo.htm
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
umatharani
PostPosted: Wed Mar 16, 2016 6:57 pm    Post subject: Reply with quote

Apprentice

Joined: 23 Oct 2008
Posts: 39

There is an option in MQ to retain the file permissions.

Filesystem:
ValidateAuth=No

Add this to qm.ini and then restart the queue manager. The queue manager will retain the permissions(modified) during error logs rollover and queue manager restart.

Thanks,
mahesh
Back to top
View user's profile Send private message
Dread86
PostPosted: Wed Mar 16, 2016 8:53 pm    Post subject: Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

umatharani wrote:
There is an option in MQ to retain the file permissions.

Filesystem:
ValidateAuth=No

Add this to qm.ini and then restart the queue manager. The queue manager will retain the permissions(modified) during error logs rollover and queue manager restart.

Thanks,
mahesh

Hi mahesh,
Thanks for your response.
I have modified the file permission and updated the .ini file accordingly. Later i did a restart of Queue manager, but still i can see queue manager taking its default permissions while error log rollover.

Before the restart, Queue manager writes some data to error log right, at that time permissions on error log are rolled back. May be this is the reason its not working.

Can you pls suggest me the above process is correct?
Back to top
View user's profile Send private message
umatharani
PostPosted: Thu Mar 17, 2016 7:31 am    Post subject: Reply with quote

Apprentice

Joined: 23 Oct 2008
Posts: 39

What is the MQ version you are using? MQ v8?
Back to top
View user's profile Send private message
Dread86
PostPosted: Thu Mar 17, 2016 3:39 pm    Post subject: Reply with quote

Novice

Joined: 15 Mar 2016
Posts: 15

umatharani wrote:
What is the MQ version you are using? MQ v8?


Yes, It's v 8.0
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 18, 2016 5:09 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

ln -s
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Mar 18, 2016 5:29 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You can do things with links - as far as I remember - to give them separate permissions from the linked directory.

And mq processes use setuid and setguid on their file system, so that could explain the issue with permissions being "restored".
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Mar 18, 2016 5:42 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

tried it with ln -s absolutepathtosource absolutepathforlink and I got:
lrwxrwxrwx for the link (created by root)
invoking cat <linkname> returned permission denied as the original file had
-rw------ root:root
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » How to Read the MQ Queue manager Error Logs as non-mqm
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.