Sun Directory Server Enterprise Edition 7.0 Administration Guide

Chapter 14 Directory Server Logging

This chapter describes how to manage Directory Server logs.

If you want information to assist you in defining a logging strategy, use the logging policy information in Designing a Logging Strategy in Sun Directory Server Enterprise Edition 7.0 Deployment Planning Guide.

For a description of the log files and their contents, see Chapter 10, Directory Server Logging, in Sun Directory Server Enterprise Edition 7.0 Reference.

This chapter covers the following topics:

Log Analysis Tool

The Directory Server Resource Kit provides a log analysis tool, logconv, that enables you to analyze Directory Server access logs. The log analysis tool extracts usage statistics. It also counts the occurrences of significant events. For more information about this tool, see the logconv(1) man page.

Viewing Directory Server Logs

You can view the logs directly on the server in the default instance-path/logs file. If you have modified the default path, you can find the log file location using the dsconf command as follows:

$ dsconf get-log-prop -h host -p port log-type path

Alternatively, you can view the log files through Directory Service Control Center (DSCC). DSCC enables you to view and sort the log entries.

The following figure shows a sample of a Directory Server access log in DSCC.

Figure 14–1 DSCC Access Log

Access log viewed through DSCC. The access log
entries are listed in a table.

To Tail Directory Server Logs

You can use the dsadm command to display a specified number of lines of the Directory Server logs, or to display log entries younger than a specified age. This example tails the error log. To tail the access log, use show-access-log instead of show-error-log.

Display error log entries younger than a certain age.
$ dsadm show-error-log -A duration instance-path
You must specify a unit for the duration. For example, to display error log entries younger than 24 hours, type:
$ dsadm show-error-log -A 24h /local/dsInst

Display a specified number of lines from the error log (starting from the end).
$ dsadm show-error-log -L last-lines instance-path
The number of lines is expressed as an integer. For example, to display the last 100 lines, type:
$ dsadm show-error-log -L 100 /local/dsInst
If you do not specify a value, the default number of lines displayed is 20.

Configuring Logs for Directory Server

Many aspects of the log files can be modified. Some examples include the following:

Enabling the audit log

Unlike the access log and the errors log, the audit log is not enabled by default. For information, see To Enable the Audit Log.
General settings
- Enabling or disabling logging
- Enabling or disabling log buffering
- Log file location
- Verbose logging
- Log level
Log rotation settings.
- Creation of new logs at regular time intervals
- Maximum log file size before a new log file is created
Log deletion settings
- Maximum file age before deletion
- Maximum file size before deletion
- Minimum free disk space before deletion

The following procedures describe how to modify log configuration and how to enable the audit log.

To Modify Log Configuration

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

View the settings for the log that you want to modify.

$ dsconf get-log-prop -h host -p port log-type

For example, to list the existing error log settings, type:

$ dsconf get-log-prop -h host1 -p 1389 error
Enter "cn=Directory Manager" password:
buffering-enabled         :  off
enabled                   :  on
level                     :  default
max-age                   :  1M
max-disk-space-size       :  100M
max-file-count            :  2
max-size                  :  100M
min-free-disk-space-size  :  5M
path                      :  /tmp/ds1/logs/errors
perm                      :  600
rotation-interval         :  1w
rotation-min-file-size    :  unlimited
rotation-time             :  undefined
verbose-enabled           :  off

Set the new value.

Set the value that you want for the property.
$ dsconf set-log-prop -h host -p port log-type property:value
For example, to set the rotation interval for the error log to two days, use this command:
$ dsconf set-log-prop -h host1 -p 1389 error rotation-interval:2d

To Enable the Audit Log

Unlike the access log and errors log, the audit log is not enabled by default. Before viewing the audit log, you must enable it.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Enable the audit log.

$ dsconf set-log-prop -h host -p port audit enabled:on

Rotating Directory Server Logs Manually

If you have a log that is getting very large, you can manually rotate the log at any time. Rotation backs up the existing log file and creates a fresh log file.

To Rotate Log Files Manually

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Rotate the log file.

$ dsconf rotate-log-now -h host -p port log-type

For example, to rotate the access log:

$ dsconf rotate-log-now -h host1 -p 1389 access