Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide 

Chapter 11
Configuring and Monitoring Logs

This chapter explains how to configure Directory Proxy Server to log entries or messages and then monitor its activities with the help of the logged entries using the Directory Proxy Server Console.

The chapter has the following sections:


Overview of Logging

Directory Proxy Server can maintain two types of logs:

This sections describes these logs.

System Log

Directory Proxy Server can maintain extensive log records of various events and system errors so that you can monitor and debug the system. All log records can be maintained in text files and can be stored in your local file system for quick and easy retrieval. By default, Directory Proxy Server writes log entries to this file:

<server-root>/dps-<hostname>/logs/fwd.log

Each message in the log file is time stamped. It also has the process number and a message number that is internal to Directory Proxy Server.

For identification and filtering purposes, events logged by Directory Proxy Server are classified into various categories. These are listed in Table 11-1. Each category represents messages that are of the same or a similar nature or that belong to a specific functional area. Based on the configuration, a log file can record entries that fall under one or more of these categories.

In the Directory Proxy Server configuration, each message category corresponds to a specific log level. Log levels indicate the level of logging to be performed by the server—that is, how detailed the logging should be.

Table 11-1 lists the message categories in the descending order of priority—Critical has the highest priority level and Detailed trace has the lowest priority level.

Table 11-1 Log Levels  

Log Level or Severity

Description

Mandatory

Mandatory messages are those that are always written to the log. These messages indicate the configuration that Directory Proxy Server read, Directory Proxy Server version number on startup, etc.

Messages pertaining to this level are not configurable.

Critical

These messages indicate Directory Proxy Server encountered some problems that need immediate attention. For example, Directory Proxy Server process 1234 has exited, attempting restart in 10 seconds.

Exception

These messages indicate unexpected error conditions, such as an incorrectly formatted LDAP message received from client/server by Directory Proxy Server. For example, Could not decode search request.

Warning

These messages specify error conditions that Directory Proxy Server can ignore but must be investigated by the administrator. For example, Local host name lookup failed. System default group may not function correctly.

Notice

These messages are informational. For example, Received NULL continuation reference from server. Discarding...

Trace

These are debug messages. For example, Result received from server lderr =32, matched=o=sun.com, errtxt=no such object. Trace messages include protocol dumps. Use of Trace level can generate very large log files very quickly.

Detailed trace

These messages provide more detailed debugging information such as Requested Anonymous bind for recycling connection. These messages usually have meaning for the Directory Proxy Server engineering/support team.

Directory Proxy Server enables you to specify the amount of logging—you can use log levels to filter log entries based on the severity of an event. By default, the level is set to Warning.


Note

The log level is additive; that is, if you choose Warning as the log level, Warning, Exception, and Critical level messages will be logged. Log data can be voluminous, especially at lower (more verbose) logging levels. Make sure that the host machine has sufficient disk space for all the log files.


Optionally, you can configure Directory Proxy Server to send log messages to the syslog daemon instead of a file; you cannot send the log messages to both a file and to the syslog daemon at the same time. If you opt for this configuration, make sure that your syslogd is properly configured. For example, to have all the messages written to a particular file /var/adm/messages the following line must be added to the file /etc/syslog.conf:

daemon.crit;daemon.warning;daemon.info;daemon.debug /var/adm/messages

Note that Directory Proxy Server uses the daemon facility, with the crit, warning, info, and debug priorities or log levels. Table 11-2 shows the mapping between syslog events and Directory Proxy Server events.

Table 11-2 Mapping of Log Levels  

Directory Proxy Server Event

syslog Event

Mandatory

info

Critical

crit

Exception

err

Warning

warning

Notice

info

Trace

info

Detailed trace

info

To rotate Directory Proxy Server logs and control other logging features use the following object class:

ids-proxy-sch-LogProperty

Refer to dpsconfig2ldif for detailed information about this object class and its usage.

Audit Log

In addition to logging system and error messages, Directory Proxy Server can also maintain audit trails for all events and connection statistics—for example, the DN of a client that just completed a bind/unbind with an LDAP directory can be logged.

By default, Directory Proxy Server is not configured to log audit messages. You can enable this feature at any time. You can also specify whether to log audit messages to the same file to which system log entries are written or to an alternate file. Unless configured to write to a different file, the audit messages (along with the other log messages) are logged to the same file to which system log entries are written; for details, see System Log.


Note

Audit records enable you to detect any unauthorized access or activity. It's recommended that you enable this feature. Also, as a security measure, you should periodically examine the Directory Proxy Server audit log for any unusual activity.



Configuring Logs

To configure Directory Proxy Server to log entries, perform the following procedures:

To Define the Log Settings

This step is required only if you want to create or define an object for the Log Property. If you have already created objects for the log property and want to use one of them, go to To Specify a Logging Property.

  1. Access the Directory Proxy Server Console as described in Accessing the Directory Proxy Server Consoles.
  2. Select the Configuration tab, and then, in the navigation tree, expand Logs.
  3. The right pane shows the list of existing objects for the logging property on the right.
    Directory Proxy Server  Logs Statistics window.

  4. Click New to define a new object.
  5. The Log Property window Statistics tab becomes active.

  6. In the Name field, type a name for the object. The name must be a unique alphanumeric string.
  7. In the Statistics tab, specify the kind of information to be logged.
  8. Check the boxes referring to the type of logging messages desired. By default none of the options are selected. Log messages are classified into the following groups: directory modifications, all LDAP operations, network connections, number of clients connected, and client auditing information.

    Directory modifications. Statistics about operations that write to the directory, like add, modify, and delete will be logged.

    All LDAP operations. Statistics about all LDAP operations will be logged.

    Network connections. Statistics about network connections will be logged.

    Number of clients connected. General statistics such as how many clients are connected will be logged.

    Client auditing information. Audit information such as the DN of client that just completed a bind/unbind will be logged.

    Access Control List Information. This contains a list of users that have access to log information.

  9. Select the Output tab and specify where log entries should be sent and whether to log audit traces.
    Directory Proxy Server  Logs Output window.
  10. Log file. Displays options governing where Directory Proxy Server will write its log entries.

    Write log entries to $(dps_ROOT)/logs/fwd.log. This is the default setting in which Directory Proxy Server will write its log entries to the file $(dps_ROOT)/logs/fwd.log where $(dps_ROOT) is the ServerRoot.

    Write log entries to. Specify an alternative file to which Directory Proxy Server will direct its log entries. The file separator must follow UNIX conventions regardless of platform.

    Write logs to syslog daemon with facility. (UNIX only) Choose a syslog facility code that Directory Proxy Server will use to log entries. This setting should be chosen only if this log property is to be used by Directory Proxy Server installed on a UNIX machine.

    Audit File. Displays options governing where Directory Proxy Server will write its audit log entries. For this feature to work, audit logging must be enabled by selecting the "Client auditing information" option in the Statistics tab.

    Write audit entries with other log entries. This is the default setting in which Directory Proxy Server will write its audit log entries to the same output specified in the log file settings above.

    Write log entries to. Specify an alternative file to which Directory Proxy Server will direct its audit log entries. The file separator should follow UNIX conventions regardless of platform.

    Write audits to syslog daemon with facility. (UNIX only) Choose a syslog facility code that Directory Proxy Server will use to log audit entries. This setting should be chosen only if this log property is to be used by Directory Proxy Servers hosted on a UNIX machine.

  11. Select the Detail tab and specify the log level—the amount of logging detail desired.
  12. Choose the logging level from the drop-down menu.
    Directory Proxy Server  Logs Detail window.

  13. Select the Rotation tab to control how logs are sized and rotated.
    Directory Proxy Server  Logs Detail window.
  14. Log file. Displays options limiting the size and maximum number of Directory Proxy Server log files.

    Limit the size of each log to. Enter the maximum size in megabytes for each log file.

    Limit the maximum number of logs to. Enter the maximum number of log files to be created and rotated.

    Audit file. Displays options limiting the size and maximum number of Directory Proxy Server audit files.

    Limit the size of each log to. Enter the maximum size in megabytes for each audit log file.

    Limit the maximum number of logs to. Enter the maximum number of audit log files to be created and rotated.

  15. Click Save to save your changes.
  16. The name of the object now appears in the list. The Directory Proxy Server configuration is modified, and you're prompted to restart the server.

  17. Restart the server as described in Restarting Directory Proxy Server.
To Specify a Logging Property

In this step, you select an existing log property to be used for logging messages.

  1. Access the Directory Proxy Server Console as described in Accessing the Directory Proxy Server Consoles.
  2. Select the Configuration tab, and then, in the navigation tree, select Logs.
  3. The right pane shows information regarding the log property specified by the current system property.
    Directory Proxy Server  Logs Statistics window.

  4. In the "Settings saved as" drop-down list, select the property you want to use.
  5. Click Save to save your changes.
  6. Directory Proxy Server is now configured to log messages as defined in the configuration. The Directory Proxy Server configuration is modified, and you are prompted to restart the server.

  7. Select the Tasks tab and restart the server as described in Restarting Directory Proxy Server.


Monitoring Logs

When you've configured Directory Proxy Server to log messages you can monitor Directory Proxy Server activities by viewing the log messages. By examining the log files you can monitor many aspects of Directory Proxy Server's operation.

The Directory Proxy Server Console provides a simple mechanism for viewing the contents of log files. The contents of the log file you choose to view are displayed in the form of a table. The table is split; the top pane shows log records in tabular format and the bottom pane shows the currently-selected record in detail. Each log record contains information such as the date and time the message was logged, the severity of the message, and a general description of the log.

Once you open a log file for viewing, you can read its contents partially by specifying the number of records or entries to be displayed.

To View Log Records in a File
  1. Access the Directory Proxy Server Console as described in Accessing the Directory Proxy Server Consoles.
  2. Select the Configuration tab, and then, in the navigation tree, expand Logs.
  3. Select Log File.
  4. The right pane shows viewing options for entries logged to a file. You can select any of the log files specified in the current log property; Directory Proxy Server can contain separate files for logging and auditing information, if configured to do so.
    Directory Proxy Server  Log file window.

Description of the form elements are as follows:



Previous      Contents      Index      Next     


Part No: 817-7615-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.