Discussion:
Is there a way to make MQ copy its AMQERR01.log entries into the syslog?
Potkay, Peter M (CTO Architecture + Engineering)
2014-08-13 16:43:48 UTC
Permalink
The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can't get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don't mess with MQ dir permissions - period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn't IBM allow read access to world for the MQ error logs, what's the harm with reading an error log...how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group - who the heck knows who has access to those IDs.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Jefferson Lowrey
2014-08-13 16:58:26 UTC
Permalink
You should be able to create a link to the AMQERR files, perhaps in
/var/log, and then give the montioring agents permissions to those links.

One of the big differences between AMQERR entries and BIP entries is that
BIP entries are small. Most syslogs expect that each entry will take up
a single line of text - and BIP errors are designed that way. AMQERR
entries are designed to be verbose, and include as much helpful
information as possible. Many syslogs and syslog monitors would likely
have difficulty with multi-line output for a single 'event'. Windows
Event Viewer expects that, and can handle it, so MQ on windows takes
advantage.

I'm reasonably sure there's no way to tell a Unix qm to write to syslogd.
You could certainly put something in place that would tail the AMQERR
files and turn around and re-log them to syslog, or otherwise dump them
out somewhere that your log monitors can handle it.

Thank you,

Jeff Lowrey




From: "Potkay, Peter M (CTO Architecture + Engineering)"
<***@THEHARTFORD.COM>
To: ***@listserv.meduniwien.ac.at
Date: 08/13/2014 11:44 AM
Subject: [MQSERIES] Is there a way to make MQ copy its AMQERR01.log
entries into the syslog?
Sent by: MQSeries List <***@listserv.meduniwien.ac.at>



The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are
a pain in the butt. Our monitoring tools can’t get in there. Apparently
the permissions will revert back to this anytime the QM restarts. See
here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes
that say don’t mess with MQ dir permissions – period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn’t
IBM allow read access to world for the MQ error logs, what’s the harm with
reading an error log
how about getting the entries to go to the syslog.
WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our
MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group – who
the heck knows who has access to those IDs.



Peter Potkay

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************


List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com


To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Potkay, Peter M (CTO Architecture + Engineering)
2014-08-13 22:41:59 UTC
Permalink
Thanks Jeff for the insight on the difference between BIP entries and AMQ entries
helps explain why the AMQ entries aren’t in syslog.

-Peter

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of Jefferson Lowrey
Sent: Wednesday, August 13, 2014 12:58 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

You should be able to create a link to the AMQERR files, perhaps in /var/log, and then give the montioring agents permissions to those links.

One of the big differences between AMQERR entries and BIP entries is that BIP entries are small. Most syslogs expect that each entry will take up a single line of text - and BIP errors are designed that way. AMQERR entries are designed to be verbose, and include as much helpful information as possible. Many syslogs and syslog monitors would likely have difficulty with multi-line output for a single 'event'. Windows Event Viewer expects that, and can handle it, so MQ on windows takes advantage.

I'm reasonably sure there's no way to tell a Unix qm to write to syslogd. You could certainly put something in place that would tail the AMQERR files and turn around and re-log them to syslog, or otherwise dump them out somewhere that your log monitors can handle it.

Thank you,

Jeff Lowrey




From: "Potkay, Peter M (CTO Architecture + Engineering)" <***@THEHARTFORD.COM<mailto:***@THEHARTFORD.COM>>
To: ***@listserv.meduniwien.ac.at<mailto:***@listserv.meduniwien.ac.at>
Date: 08/13/2014 11:44 AM
Subject: [MQSERIES] Is there a way to make MQ copy its AMQERR01.log entries into the syslog?
Sent by: MQSeries List <***@listserv.meduniwien.ac.at<mailto:***@listserv.meduniwien.ac.at>>
________________________________



The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can’t get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don’t mess with MQ dir permissions – period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn’t IBM allow read access to world for the MQ error logs, what’s the harm with reading an error log
how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group – who the heck knows who has access to those IDs.



Peter Potkay


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************



________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************


To unsubscribe, write to ***@LISTSERV.MEDUNIWIEN.AC.AT and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Roger Lacroix
2014-08-13 16:59:14 UTC
Permalink
Hi Peter,

How about you flip the idea around? If you need
the directory/file permission (or ownership) to
be different (without affecting the QMgr) then
why not clone the directory/files to a new location with rsync?

i.e.
- Create a directory called /var/mqm/qmgrs/MyQM/errors_clone/
- Set the permission of
/var/mqm/qmgrs/MyQM/errors_clone/ to be whatever you need
- Create an MQ service for that QMgr to invoke
rsync to clone /var/mqm/qmgrs/MyQM/errors/ to /var/mqm/qmgrs/MyQM/errors_clone/

Now you can have your monitoring tools watch
/var/mqm/qmgrs/MyQM/errors_clone/ without any issues.

Its not perfect but it does solve your issue.

Regards,
Roger Lacroix
Capitalware Inc.


At 12:43 PM 8/13/2014, you wrote:
>The chmod 2770 permissions on the
>/var/mqm/qmgrs/MyQM/errors directory are a pain
>in the butt. Our monitoring tools can’t get in
>there. Apparently the permissions will revert
>back to this anytime the QM restarts. See here:
><http://www-01.ibm.com/support/docview.wss?uid=swg21228976>http://www-01.ibm.com/support/docview.wss?uid=swg21228976
>
>Yeah, they give a kludgy work around. But then
>there are other tech notes that say don’t mess
>with MQ dir permissions – period.
><http://www-01.ibm.com/support/docview.wss?uid=swg21265111>http://www-01.ibm.com/support/docview.wss?uid=swg21265111
>
>
>So, while I scratch my head, wondering what the
>big deal was, why didn’t IBM allow read access
>to world for the MQ error logs, what’s the harm
>with reading an error log…how about getting the
>entries to go to the syslog. WMB does that by
>default. On Windows, MQ copies it into the Event Viewer.
>
>All our monitoring tools have access to the
>syslog by default, so if our MQ entries were there as well it would be easy.
>
>Anyone done this? How?
>Other ideas?
>
>I really do not want to add those monitoring IDs
>into the mqm group – who the heck knows who has access to those IDs.
>
>
>
>Peter Potkay
>
>
>************************************************************
>This communication, including attachments, is
>for the exclusive use of addressee and may
>contain proprietary, confidential and/or
>privileged information. If you are not the
>intended recipient, any use, copying,
>disclosure, dissemination or distribution is
>strictly prohibited. If you are not the
>intended recipient, please notify the sender
>immediately by return e-mail, delete this communication and destroy all copies.
>************************************************************
>
>
>----------
><http://listserv.meduniwien.ac.at/archives/mqser-l.html>List
>Archive -
><http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>Manage
>Your List Settings -
><mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>Unsubscribe
>
>
>Instructions for managing your mailing list
>subscription are provided in the Listserv
>General Users Guide available at
><http://www.lsoft.com/resources/manuals.asp>http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Potkay, Peter M (CTO Architecture + Engineering)
2014-08-13 22:48:32 UTC
Permalink
The MQ Service would need to be a script that runs rsync every x minutes, then does a chmod on the destination copy of the file so that the monitor would be able to read the copy? The original AMQERR01.LOG has 660 permissions and rsync run by mqm ends up giving the copy of the file the same permissions, which leave the monitoring tool unable to read the copy.


Not sure what the MQ service buys me here. Would having cron run it every x minutes work just as well? I guess it would run needlessly if the QM was down, but that is so infrequent who cares.

The thing I like about this idea is that it can be the same script on every one of my MQ servers, and the local copy can always be the same named dir, so the monitoring team doesn't have to be aware of the different path to the error log on every different server / queue manager.


-Peter


From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Roger Lacroix
Sent: Wednesday, August 13, 2014 12:59 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

Hi Peter,

How about you flip the idea around? If you need the directory/file permission (or ownership) to be different (without affecting the QMgr) then why not clone the directory/files to a new location with rsync?

i.e.
- Create a directory called /var/mqm/qmgrs/MyQM/errors_clone/
- Set the permission of /var/mqm/qmgrs/MyQM/errors_clone/ to be whatever you need
- Create an MQ service for that QMgr to invoke rsync to clone /var/mqm/qmgrs/MyQM/errors/ to /var/mqm/qmgrs/MyQM/errors_clone/

Now you can have your monitoring tools watch /var/mqm/qmgrs/MyQM/errors_clone/ without any issues.

Its not perfect but it does solve your issue.

Regards,
Roger Lacroix
Capitalware Inc.


At 12:43 PM 8/13/2014, you wrote:

The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can't get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don't mess with MQ dir permissions - period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn't IBM allow read access to world for the MQ error logs, what's the harm with reading an error log...how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group - who the heck knows who has access to those IDs.



Peter Potkay


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Roger Lacroix
2014-08-13 23:07:20 UTC
Permalink
Hi Peter,

Your Unix guru will have more rsync knowledge
than me but you can (1) as a daemon and (2) set
directory permissions for rsync.

i.e.
rsync --daemon
--chmod=ug=rw,o=r /var/mqm/qmgrs/MyQM/errors/*
/var/mqm/qmgrs/MyQM/errors_clone/

Note the ",o=r" for the chmod. It set world permission to read.

You can look up the man page for rsync at http://linux.die.net/man/1/rsync

Regards,
Roger Lacroix
Capitalware Inc.

At 06:48 PM 8/13/2014, you wrote:
>The MQ Service would need to be a script that
>runs rsync every x minutes, then does a chmod on
>the destination copy of the file so that the
>monitor would be able to read the copy? The
>original AMQERR01.LOG has 660 permissions and
>rsync run by mqm ends up giving the copy of the
>file the same permissions, which leave the
>monitoring tool unable to read the copy.
>
>
>Not sure what the MQ service buys me here. Would
>having cron run it every x minutes work just as
>well? I guess it would run needlessly if the QM
>was down, but that is so infrequent who cares.
>
>The thing I like about this idea is that it can
>be the same script on every one of my MQ
>servers, and the local copy can always be the
>same named dir, so the monitoring team doesn’t
>have to be aware of the different path to the
>error log on every different server / queue manager.
>
>
>-Peter
>
>
>From: MQSeries List
>[mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Roger Lacroix
>Sent: Wednesday, August 13, 2014 12:59 PM
>To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
>Subject: Re: Is there a way to make MQ copy its
>AMQERR01.log entries into the syslog?
>
>Hi Peter,
>
>How about you flip the idea around? If you need
>the directory/file permission (or ownership) to
>be different (without affecting the QMgr) then
>why not clone the directory/files to a new location with rsync?
>
>i.e.
>- Create a directory called /var/mqm/qmgrs/MyQM/errors_clone/
>- Set the permission of
>/var/mqm/qmgrs/MyQM/errors_clone/ to be whatever you need
>- Create an MQ service for that QMgr to invoke
>rsync to clone /var/mqm/qmgrs/MyQM/errors/ to /var/mqm/qmgrs/MyQM/errors_clone/
>
>Now you can have your monitoring tools watch
>/var/mqm/qmgrs/MyQM/errors_clone/ without any issues.
>
>Its not perfect but it does solve your issue.
>
>Regards,
>Roger Lacroix
>Capitalware Inc.
>
>
>At 12:43 PM 8/13/2014, you wrote:
>
>The chmod 2770 permissions on the
>/var/mqm/qmgrs/MyQM/errors directory are a pain
>in the butt. Our monitoring tools can’t get in
>there. Apparently the permissions will revert
>back to this anytime the QM restarts. See here:
><http://www-01.ibm.com/support/docview.wss?uid=swg21228976>http://www-01.ibm.com/support/docview.wss?uid=swg21228976
>
>Yeah, they give a kludgy work around. But then
>there are other tech notes that say don’t mess
>with MQ dir permissions – period.
><http://www-01.ibm.com/support/docview.wss?uid=swg21265111>http://www-01.ibm.com/support/docview.wss?uid=swg21265111
>
>
>So, while I scratch my head, wondering what the
>big deal was, why didn’t IBM allow read access
>to world for the MQ error logs, what’s the harm
>with reading an error log…how about getting the
>entries to go to the syslog. WMB does that by
>default. On Windows, MQ copies it into the Event Viewer.
>
>All our monitoring tools have access to the
>syslog by default, so if our MQ entries were there as well it would be easy.
>
>Anyone done this? How?
>Other ideas?
>
>I really do not want to add those monitoring IDs
>into the mqm group – who the heck knows who has access to those IDs.
>
>
>
>Peter Potkay
>
>
>************************************************************
>This communication, including attachments, is
>for the exclusive use of addressee and may
>contain proprietary, confidential and/or
>privileged information. If you are not the
>intended recipient, any use, copying,
>disclosure, dissemination or distribution is
>strictly prohibited. If you are not the
>intended recipient, please notify the sender
>immediately by return e-mail, delete this communication and destroy all copies.
>************************************************************
>
>----------
><http://listserv.meduniwien.ac.at/archives/mqser-l.html>List
>Archive -
><http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>Manage
>Your List Settings -
><mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>Unsubscribe
>
>
>Instructions for managing your mailing list
>subscription are provided in the Listserv
>General Users Guide available at
><http://www.lsoft.com/resources/manuals.asp>http://www.lsoft.com
>
>
>----------
><http://listserv.meduniwien.ac.at/archives/mqser-l.html>List
>Archive -
><http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>Manage
>Your List Settings -
><mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>Unsubscribe
>
>
>Instructions for managing your mailing list
>subscription are provided in the Listserv
>General Users Guide available at
><http://www.lsoft.com/resources/manuals.asp>http://www.lsoft.com
>
>************************************************************
>This communication, including attachments, is
>for the exclusive use of addressee and may
>contain proprietary, confidential and/or
>privileged information. If you are not the
>intended recipient, any use, copying,
>disclosure, dissemination or distribution is
>strictly prohibited. If you are not the
>intended recipient, please notify the sender
>immediately by return e-mail, delete this communication and destroy all copies.
>************************************************************
>
>
>----------
><http://listserv.meduniwien.ac.at/archives/mqser-l.html>List
>Archive -
><http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>Manage
>Your List Settings -
><mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>Unsubscribe
>
>
>Instructions for managing your mailing list
>subscription are provided in the Listserv
>General Users Guide available at
><http://www.lsoft.com/resources/manuals.asp>http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Tim Zielke
2014-08-13 17:36:57 UTC
Permalink
Hi Peter,

Would sudo be an option here? In other words, set up sudo rules that gives the monitoring ids the access to run only certain commands under mqm.

Thanks,
Tim

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Wednesday, August 13, 2014 11:44 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can't get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don't mess with MQ dir permissions - period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn't IBM allow read access to world for the MQ error logs, what's the harm with reading an error log...how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group - who the heck knows who has access to those IDs.



Peter Potkay


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Potkay, Peter M (CTO Architecture + Engineering)
2014-08-13 22:50:04 UTC
Permalink
Hmmm, yes, this could be a solution. I have asked the monitoring dudes for the complete list of commands they need to execute to monitor my logs. This would only work as long as I didn't have to create additional sudo rules every time we ask them to look for a new AMQ* message.

-Peter


From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Wednesday, August 13, 2014 1:37 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

Hi Peter,

Would sudo be an option here? In other words, set up sudo rules that gives the monitoring ids the access to run only certain commands under mqm.

Thanks,
Tim

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Wednesday, August 13, 2014 11:44 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/***@public.gmane.orgAC.AT>
Subject: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can't get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don't mess with MQ dir permissions - period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn't IBM allow read access to world for the MQ error logs, what's the harm with reading an error log...how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group - who the heck knows who has access to those IDs.



Peter Potkay


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Tim Zielke
2014-08-13 23:51:46 UTC
Permalink
I would recommend that you create an mqm locked down script that they can call and do their monitoring of the MQ error logs, and then you set up one sudo rule that allows them to run that script under the mqm id with the NOPASSWD option.

On a tangent here but . . .

sudo = substitute user do

English wasn't my best subject, but something do not seem right there . . .

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Wednesday, August 13, 2014 5:50 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

Hmmm, yes, this could be a solution. I have asked the monitoring dudes for the complete list of commands they need to execute to monitor my logs. This would only work as long as I didn't have to create additional sudo rules every time we ask them to look for a new AMQ* message.

-Peter


From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Wednesday, August 13, 2014 1:37 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/***@public.gmane.orgAC.AT>
Subject: Re: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

Hi Peter,

Would sudo be an option here? In other words, set up sudo rules that gives the monitoring ids the access to run only certain commands under mqm.

Thanks,
Tim

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Wednesday, August 13, 2014 11:44 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/***@public.gmane.orgAC.AT>
Subject: Is there a way to make MQ copy its AMQERR01.log entries into the syslog?

The chmod 2770 permissions on the /var/mqm/qmgrs/MyQM/errors directory are a pain in the butt. Our monitoring tools can't get in there. Apparently the permissions will revert back to this anytime the QM restarts. See here:
http://www-01.ibm.com/support/docview.wss?uid=swg21228976

Yeah, they give a kludgy work around. But then there are other tech notes that say don't mess with MQ dir permissions - period.
http://www-01.ibm.com/support/docview.wss?uid=swg21265111


So, while I scratch my head, wondering what the big deal was, why didn't IBM allow read access to world for the MQ error logs, what's the harm with reading an error log...how about getting the entries to go to the syslog. WMB does that by default. On Windows, MQ copies it into the Event Viewer.

All our monitoring tools have access to the syslog by default, so if our MQ entries were there as well it would be easy.

Anyone done this? How?
Other ideas?

I really do not want to add those monitoring IDs into the mqm group - who the heck knows who has access to those IDs.



Peter Potkay


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
Loading...