Getting Started with Oracle Cloud Logging Analytics

Recently one of my colleagues was trying to set up Logging Analytics to monitor Squid Proxy. It was his first time setting up a new agent, and as he was setting it up he ran into a few confusing (but common) issues. I figured there are likely quite a few people going through these same issues and thought we’d write a quick walkthrough for people who are trying to set up Logging Analytics for the first time.

For this blog we are running everything within Oracle Cloud. We have an Oracle Compute Instance running Squid Proxy. It is extremely easy to install a monitoring agent if you are running within Oracle Cloud. However, not all of your workloads may be in Oracle Cloud. If you want to monitor sources outside of Oracle Cloud, installing the Management Agent may take a few more steps. See Oracle’s documentation to get a full run-down on how to install a monitoring agent on an external host.

That being said, setting up an Oracle Management Agent on an Oracle Compute Instance is relatively simple. Simply navigate to Compute > Instances and select your instance. Once you are on your specific instance, click the tab labeled “Oracle Cloud Agent”. Here you should see a plugin labeled “Management Agent”. If it is not already enabled, enable it now. It will initially say “Stopped” in the Status column. Wait until Status says “Started” and the Message columns says “agent started”.

Now, click the hamburger menu and navigate to the Observability & Management > Logging Analytics > Administration. We will attempt to add the Squid Proxy logs. To do this click the “sources” link and search for Squid Proxy. In case you are not using squid proxy specifically, you can choose any other source at this point. Oracle currently supports hundreds of different sources. In this example, we are choosing the Squid Proxy Access Logs. Once we click that, it should automatically bring up any “Associated Entries”. However, our instance is not currently listed there. If we click “Ineligible Entries” we can see our Compute Instance with the message “Management agent validation is pending”.

Management agent validation is pending

Although there is a Management Agent on our host, we never installed the Logging Analytics software on the agent, which is causing this error. To install the Logging Analytics software, navigate to Observability & Management > Management Agents > Agents. Now, select the agent on the host that we’ve been working on. Click Deploy Plugins, select “Logging Analytics” and click Update. This should now deploy the software and allow you to collect any logs on the system. This can take a few minutes to deploy.

To verify everything is working, go back to Observability & Management > Logging Analytics > Administration and attempt to add Squid Proxy again. If we click on “Ineligible Entries” and our instance is still listed, wait a few more minutes.

Once the source is no longer in “Ineligible Entries”, we will need to associate it. Click on “Unassociated Entries”, select your host, and click “Add Association”. You can select an existing Log Group or create a new one. In this case, we created a new Log Group called “squid-demo”. Once you have chosen your Log Group, click Submit.

This should now have created an associated entry. Click “Associated Entries” and you should see your host listed under a status of “Pending”. Once your host says “Success”, we need to verify there are not any other problems. Click on the Name and then click “Agent Collection Warnings”. If you have no warnings here, you should be able to view logs at this point, so go ahead and click “View Log Explorer”. However, in our Squid Proxy example, we are running into an error that says File not Found.

File not Found…

This error took us a while to troubleshoot, but is quite simple once you know what is going on. First we verified that the log file existed (it did). However, we did notice that the user who owned the Squid logs (root) was not the same user that was running the Oracle Agent. So the agent just didn’t know the file existed due to permissions. Luckily, Oracle has some great documentation on how to grant READ access to your log files. For us, it came down to these simple steps:

Grant the management agent user READ access to the required log file:

setfacl -m u:<agentuser>:r <path to the log file/log file name>

Grant the READ and EXECUTE permissions to each folder in the log file path:

//set read, execute permissions on folders other than parent folder

setfacl -m u:<agentuser>:rx <path to the folder>

//set read, execute permissions with recursive options on parent folder

setfacl -R -m u:<agentuser>:rx <path to the folder> 

//set read, execute permissions with default option to allow all future log files created under this folder to be readable.

setfacl -d -m u:<agentuser>:rx <path to the folder>

Those last 3 commands are important in case your log file does any log rolling.

Verifying everything works

Once you run those commands, navigate back to “Agent Collection Warnings” and verify there are no further errors. If everything looks good, let’s try to view our logs. To do this, click the “View in Log Explorer” button. We ran a simple query

'Log Source' = 'Squid Proxy Access Logs' | timestats count as logrecords by 'Log Source' | sort -logrecords

If you have not had any logs recently, don’t forget to adjust the time period. Once that has been set, you should be able to see logs being collected in Logging Analytics.

If this blog helped you get Logging Analytics up and running, if you are running into other issues or if you are interesting to talk to us about our expert services around implementing, tuning, customizing, or managing Oracle Log Analytics, send us a note here!