QAN is not working - RELOAD grant not enabled, cannot rotate slowlog with disabled log rotation

I have fresh install (less than 2 weeks, version 2.33.0 of PMM server and pmm-agent/pmm-admin both 2.33.0 as well on DB servers) and among other things, wanted to see how well QAN works.

I have once a day pt-query-digest based slow log processing and QAN supposed to be addition to it.

Based on docs (not very much detailed in operations), I’ve added agent with pmm-admin add mysql --query-source=slowlog --size-slow-logs=-1GiB which to my understanding should:

  1. Tell agent do not mess with any tries of log rotation - it’s already handled by logrotate
  2. Take data from the slowlog file

( I couldn’t find any config file where this is saved, so it’s from my bash history and may be not really applied )


QAN dashboard is empty. On server ( Linux machine where pmm-agent/client runs )

root@prod-db-4:~# pmm-admin status --wait=30s|fgrep slow
        /agent_id/XXXXXX-4e7c-9dbd-6e13b378e265 mysql_slowlog_agent Agent_status_invalid 0

systemd unit logs:

root@prod-db-4:~# journalctl -u pmm-agent.service -n 1|tail
Feb 06 19:04:24 prod-db-4 pmm-agent[604561]: ERRO[2023-02-06T19:04:24.864+00:00] RELOAD grant not enabled, cannot rotate slowlog  agentID=/agent_id/XXXXXXXX-4e7c-9dbd-6e13b378e265 component=agent-builtin type=qan_mysql_slowlog_agent

This error makes not much sense to me - I’ve stated I don’t want to PMM deal with log rotation and why it’s trying to do RELOAD is unclear for me.

Please advise.

1 Like

Hi @Roman_Ovchinnikov welcome to the Percona forums!

Interesting scenario. Would you be willing to experiment by assigning the RELOAD privilege to the PMM user, and then validate if the slow log is being consumed and then displayed in QAN?

Yes, I’ve did such test and QAN started to be populated on all 3 servers ( 1 master + 2 replica servers). Yet, I see area for improvement here - granting more than needed privs should be avoided.

In my particular case, this is “monitoring” db account, basically readonly, used by Collectd, Zabbix and now PMM.

Hi @Roman_Ovchinnikov

Thank you very much for testing this. I agree this is a missed opportunity to minimize the security concern of the monitoring agent. I have filed a Percona JIRA bug. Please follow it and comment if I missed anything, thank you again for bringing this to our attention!