Chapter 8
Tuning Logging
Directory Server provides several log types, summarized in Table 8-1. This chapter discusses how to handle the different types of logs.
Table 8-1    Types of Logs Used by Directory Server
Log
|
Type
|
Use
|
Access
|
Flat file
|
Evaluating directory use patterns, verifying configuration settings, diagnosing access problems.
|
Audit
|
Flat file
|
Providing audit trails for security and data integrity.
|
Changelog
|
Database
|
Enables synchronization between replicas.
|
Error
|
Flat file
|
Debugging directory deployments.
|
Retro changelog
|
Database
|
Permitting backward compatibility with previous versions.
|
Transaction
|
Database
|
Maintaining database integrity.
|
In high-volume deployments, writing to logs can be disk intensive, resulting in noticeable negative performance impact. Given the potential for I/O bottlenecks inherent with heavy logging in high volume systems, consider placing logs on separate physical disks with separate disk controllers.
Access Logging
The access log contains detailed information about client connections and operations performed. The access log can be indispensable when diagnosing access problems, verifying server configuration settings, and evaluating server usage patterns. The default logging level results, however, in significant disk activity for most deployments, and the volume of disk activity can negatively affect server performance.
Although the access log provides beneficial troubleshooting information, it may become an I/O bottleneck. Consider disabling access logging once the directory is deployed and running without errors or performance problems. When access logging becomes necessary in a production environment, set logging levels to the minimum required level. Additionally, consider placing the access log on its own physical disk or fast disk subsystem having a large I/O buffer. Table 8-2 provides further recommendations for specific attributes.
Table 8-2    Tuning Recommendations for Access Logging
Configuration Attribute (on dn: cn=config)
|
Short Description and Tuning Recommendations
|
nsslapd-accesslog
|
Specifies the path and filename of the access log file.
For low volume deployments, the access log may share a disk with the audit and error logs.
For high volume deployments, consider putting the access log on its own disk or disk subsystem, with its own controller. Choose a disk with a large I/O buffer.
|
nsslapd-accesslog-level
|
Specifies the level of informational logging used.
Change to 0, no access logging, (default 256, logging for access to an entry) unless a higher level is required.
|
nsslapd-accesslog-logbuffering
|
Determines whether the access log is buffered.
Leave on (default) unless you must disable buffering to see access log messages as they are triggered. Disabling buffering can result in a drop in overall performance.
|
nsslapd-accesslog-logging-enabled
|
Enables and disables access logging.
Turn off (default is on) for maximum performance.
If the deployment requires that access logging be enabled, set nsslapd-accesslog-level to the lowest acceptable setting, and put the access log on its own disk or disk subsystem. Rotate the access log frequently (each day or week) and use nsslapd-accesslog-logmaxdiskspace and nsslapd-accesslog-logminfreediskspace to manage disk space use.
|
nsslapd-accesslog-logmaxdiskspace
|
Specifies maximum disk space that all access logs (current and rotated logs) may consume.
Set this value below the total amount of disk space dedicated to access logging.
If using the same disk for audit, access, and error logging, ensure sufficient disk space for all three.
If the access log resides on its own disk, set this variable to the size of the disk.
|
nsslapd-accesslog-logminfreediskspace
|
Specifies minimum free disk space allowed before old logs are purged.
When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to correspond to the setting for this attribute. If the access logs cannot be written because the disk is full, the server shuts down.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.
Sun ONE Directory Server Resource Kit documentation covers extracting information from the access log. Refer to "Downloading Directory Server Tools", for more information.
Audit Logging
The audit log contains detailed information about all changes made to each database as well as to server configuration. Audit logging is disabled by default.
When enabled in deployments having high modify volume, enabling audit logging causes a very noticeable overall drop in performance. Unless the deployment requires it, leave audit logging disabled. For large or high volume deployments that require audit logging, consider allocating a separate disk on a separate controller to the audit log. Table 8-3 provides further recommendations for specific attributes.
Table 8-3    Tuning Recommendations for Audit Logging
Configuration Attribute (on dn: cn=config)
|
Short Description and Tuning Recommendations
|
nsslapd-auditlog
|
Specifies the path and filename of the audit log file.
For low volume deployments, the audit log may share a disk with the access and error logs.
For high volume deployments, consider putting the audit log on its own disk, with its own controller. Choose a disk with a large I/O buffer.
|
nsslapd-auditlog-logging-enabled
|
Enables and disables audit logging.
Leave off (default setting) unless audit logging is required.
|
nsslapd-auditlog-logmaxdiskspace
|
Specifies maximum disk space that all audit logs (current and rotated logs) may consume.
Set this value below the total amount of disk space dedicated to audit logging.
If using the same disk for audit, access, and error logging, ensure sufficient disk space for all three.
If the audit log resides on its own disk, set this variable to the size of the disk.
|
nsslapd-auditlog-logminfreediskspace
|
Specifies minimum free disk space allowed before old logs are purged.
When the amount of free disk space falls below the value specified on this attribute, the oldest audit logs are deleted until enough disk space is freed to correspond to the setting for this attribute. If the audit logs cannot be written because the disk is full, the server shuts down.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.
Error Logging
The error log for a Directory Server instance contains detailed error, warning, and informational messages encountered during normal server operation. The low default logging level produces relatively little disk activity.
When log level is set higher to generate debugging information, however, Directory Server may begin writing large numbers of messages to disk. The write load can result in a very noticeable overall drop in performance. To avoid a drop in performance, increase log levels progressively, component by component, instead of activating log levels for all components at once.
The error log does not support log buffering. All messages are flushed to disk immediately. For large or high volume deployments, consider allocating a separate disk on a separate controller for the error log, used whenever debugging becomes necessary. Table 8-4 provides further recommendations for specific attributes.
Table 8-4    Tuning Recommendations for Error Logging
Configuration Attribute (on dn: cn=config)
|
Short Description and Tuning Recommendations
|
nsslapd-errorlog
|
Specifies the path and filename of the error log file.
For low volume deployments, the error log may share a disk with the access and audit logs.
For high volume deployments, consider putting the error log on its own disk, with its own controller. Choose a disk with a large I/O buffer.
|
nsslapd-errorlog-logging-enabled
|
Enables and disables error logging.
Leave on (default setting).
|
nsslapd-errorlog-logmaxdiskspace
|
Specifies maximum disk space that all error logs (current and rotated logs) may consume.
Set this value below the total amount of disk space dedicated to error logging.
If using the same disk for audit, access, and error logging, ensure sufficient disk space for all three.
If the error log resides on its own disk, set this variable to the size of the disk.
|
nsslapd-errorlog-logminfreediskspace
|
Specifies minimum free disk space allowed before old logs are purged.
When the amount of free disk space falls below the value specified on this attribute, the oldest error logs are deleted until enough disk space is freed to correspond to the setting for this attribute. If the error logs cannot be written because the disk is full, the server shuts down.
|
nsslapd-infolog-area
|
Specifies the components for which informational messages are logged.
Leave at 0 (default) unless debugging a component. Avoid setting for more than one component at a time on production servers.
|
nsslapd-infolog-level
|
Specifies the level of informational logging used.
Leave at 0 (default) unless debugging a component for which setting nsslapd-infolog-area alone fails to generate sufficient detail.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.
Multi-Master Replication Change Logging
Directory Server uses a replication changelog to enable synchronization between replicas. Refer to the Sun ONE Directory Server Deployment Guide for an discussion of the changelog and to the Sun ONE Directory Server Reference Manual for configuration details. Table 8-5 provides further recommendations for specific attributes.
Table 8-5    Tuning Recommendations for Multi-Master Change Logging
Configuration Entry DN and Configuration Attribute
|
Short Description and Tuning Recommendations
|
dn: cn=changelog5,cn=config
nsslapd-cachememsize
|
Specifies the changelog database cache size.
Consider changing this from the default of 10 MB for high volume deployments.
|
dn: cn=changelog5,cn=config
nsslapd-changelogdir
|
Specifies the path and filename of the changelog database.
Consider putting the changelog on its own disk or disk subsystem, with its own controller. A large I/O buffer can help.
|
dn: cn=changelog5,cn=config
nsslapd-changemaxage
|
Specifies the maximum age for entries in the changelog.
Change this from 0 (default, indicating no maximum) to an interval after which replicated servers are fully synchronized and the changelog may be trimmed.
|
dn: cn=changelog5,cn=config
nsslapd-changemaxentries
|
Specifies the maximum number of entries in the changelog.
Change this from 0 (default, indicating no maximum) to a number sufficient to allow replicated servers to become fully synchronized before the changelog is trimmed.
|
dn: cn=changelog5,cn=config
nsslapd-cachesize
|
Specifies the maximum number of entries in the changelog database cache.
Change this from -1 (default, indicating no maximum) to a maximum number of entries retained in the changelog before entries are flushed.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.
Retro Change Logging
Directory Server ships with a retro changelog plug-in that you may enable to record changes on a supplier server in a format compatible with Directory Server 4.x releases and accessible through LDAP. The retro changelog plug-in is disabled by default and should not be enabled unless required for compatibility reasons. Refer to the Sun ONE Directory Server Reference Manual for details. Table 8-6 provides further recommendations for specific attributes.
Table 8-6    Tuning Recommendations for Retro Change Logging
Configuration Entry DN and Configuration Attribute
|
Short Description and Tuning Recommendations
|
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
nsslapd-changelogdir
|
Specifies the path and filename of the retro changelog.
Consider putting the retro changelog on its own disk or disk subsystem, with its own controller. A large I/O buffer can help.
|
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
nsslapd-changelogmaxage
|
Specifies the maximum age for entries in the retro changelog.
Change this from 0 (default, indicating no maximum) to an interval after which clients using the retro changelog have processed the log entries generated.
|
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
nsslapd-changelogmaxentries
|
Specifies the maximum number of entries in the retro changelog.
Change this from 0 (default, indicating no maximum) to a maximum number of entries retained in the retro changelog before trimming.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.
Transaction Logging
Directory Server maintains database integrity through transaction logging. Upon accepting an update operation add, modify, delete, or modrdn Directory Server writes a log message about the operation to the transaction log. Durable transaction logging, enabled by default, ensures data integrity. It does so by ensuring each update operation is committed to the transaction log on disk before the result code for the update operation is returned to the client application. In the event of a system crash, Directory Server uses the transaction log to recover the database. As the transaction log aids in the recovery of a database shut down abnormally, consider storing the transaction log and directory database on separate disk subsystems.
Transaction logging is extremely disk intensive, especially with durability turned on. It is likely to be the major bottleneck for update performance. In addition to protecting data integrity better in the event of a system crash, storing the transaction log and database on separate RAID systems such as Sun StorEdge disk arrays can boost update performance. Table 8-7 provides further recommendations for specific attributes.
Table 8-7    Tuning Recommendations for Transaction Logging
Configuration Entry DN and Configuration Attribute
|
Short Description and Tuning Recommendations
|
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-checkpoint-interval
|
Specifies how often Directory Server checkpoints the transaction log, ensures the entire database system is synchronized to disk, and cleans up transaction logs.
Leave at 60 (default interval in seconds) unless database performance optimization based on empirical testing calls for a different value. Increasing the value of this attribute may result in a performance boost for update operations, but also means that recovery after disorderly shutdown takes longer, and that the transaction log uses more disk space.
|
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-durable-transaction
|
Specifies whether update operations are committed to the transaction log on disk before result codes are sent to clients.
Leave on (default) for deployments requiring a high level of data integrity. Durable transaction logging may be disabled for some deployments to boost performance. When it is disabled, however, log messages flushed to the file system but not yet to disk may be lost in the event of a system crash. This means that with durable transaction logging off, some updates may be unrecoverable even after the client receives a successful update result code.
|
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-logdirectory
|
Specifies the path and filename of the transaction log.
Consider storing the transaction log on its own very fast disk or disk subsystem, with its own controller.
|
Refer to the Sun ONE Directory Server Reference Manual for details concerning individual configuration attributes.