|
| Sun ONE Directory Server 5.2 Reference Manual |
Chapter 8 Access Logs and Connection Codes
Sun ONE Directory Server 5.2 provides you with logs to help you monitor directory activity. Monitoring allows you to detect and remedy failures and, when done proactively, to anticipate and resolve potential problems before they result in failure or poor performance. To monitor your directory effectively, you need to understand the structure and content of the logs.
This chapter includes the following sections:
For information on the error codes returned in log files, see Appendix A "Error Codes."
If you require further assistance in the investigation of your access log reports, please contact Sun ONE Technical Support:
http://www.sun.com/service/sunone/index.html
Access Log Content
The Sun ONE Directory Server 5.2 access log contains detailed information about client connections to the directory. A connection is a sequence of requests from the same client with the following structure:
- Connection record that gives the connection index and the IP address of the client
- Bind record
- Bind result record
- Sequence of operation request / operation result pairs of records (or individual records in the case of connection, closed, and abandon records)
- Unbind record
- Closed record
The access log files are located in the directory ServerRoot/slapd-serverID/logs. Each line of a log file begins with a timestamp [20/Aug/2002:11:39:51 -0700], where -0700 indicates the time difference in relation to GMT. The format of the timestamp may vary depending on the platform you are using. Apart from the connection, closed, and abandon records that appear individually, all records appear in pairs, consisting of a request for service record followed by a result record. These two records frequently appear on adjacent lines but this is not always the case.
This section presents the different levels of access logging available with Sun ONE Directory Server 5.2, then describes the default access logging content and ends with a description of the additional access logging level content. This section is divided into the following parts:
- "Access Logging Levels"
- "Default Access Logging Content"
- "Access Log Content for Additional Access Logging Levels"
Access Logging Levels
Different levels of access logging exist. By changing the value of the nsslapd-accesslog-level configuration attribute, you can select the exact type of logging you require. The default level of logging is level 256 which logs access to an entry but you can choose from the following logging levels, combining more than one level to suit your needs:
0=No access logging
4=Logging for internal access operations
256=Logging for access to an entry
512=Logging for access to an entry and referrals
131072=Precise timing of operation duration. This gives microsecond resolution for the Elapsed Time item in the access log.
For example, if you want to log internal access operations, entry access, and referrals, you would set a value of 516 (512+4) in the nsslapd-accesslog-level configuration attribute. For further information on other access log configuration attributes, see Chapter 4 "Core Server Configuration Attributes."
Default Access Logging Content
This section describes the access log content in detail, based on the default access logging level extract in Code Example 8-1.
Connection Number
Every external request is listed with an incremental connection number (conn=25, conn=26, and conn=27 in the preceding example), starting at conn=0 immediately after server startup. In this example, conn=25 represents an LDAP add operation, conn=26 is a DSML add operation and conn=27 is an LDAP search operation.
Internal LDAP requests are not recorded in the access log by default. To activate the logging of internal access operations, specify an access logging level of 4 in the nsslapd-accesslog-level configuration attribute.
File Descriptor
Every connection from an external LDAP client to Directory Server requires a file descriptor, or socket descriptor, from the operating system (fd=32 in the preceding example). fd=32 indicates that file descriptor number 32 was used from the total pool of available file descriptors.
Slot Number
The slot number (slot=32 in the preceding example), has the same meaning as file descriptor. It is a legacy section of the access log and can be ignored.
Operation Number
In processing an external request, Directory Server performs the required series of operations. For a specific connection, all operation request and operation result pairs are given incremental operation numbers beginning with op=0 to identify the distinct operations being performed. In Code Example 8-1, op=0 is given for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. Should you see op=-1 in the access log, it generally means that the LDAP request for this connection was not issued by an external LDAP client, but instead initiated internally.
Method Type
The method number, in this case method=128, indicates which LDAPv3 bind method was used by the client. There are three possible bind method values:
0 = no authentication
128 = simple bind with user password
sasl= SASL bind using external authentication mechanism
Version Number
The version number, in this case version=3, indicates the LDAP version number (either LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.
Error Number
The error number, in this case err=0, provides the LDAP result code returned from the LDAP operation performed. The LDAP error number 0 means that the operation was successful. For a more comprehensive list of LDAP result codes see "LDAP Result Codes".
Tag Number
The tag number, in this case tag=97, indicates the type of result returned, which is almost always a reflection of the type of operation performed. The tags used are the BER tags from the LDAP protocol. Commonly used tags include:
tag=97 for a result from a client bind operation
tag=100 indicates the actual entry for which you were searching
tag=101 for a result from a search operation
tag=103 for a result from a modify operation
tag=105 for a result from an add operation
tag=107 for a result from a delete operation
tag=109 for a result from a moddn operation
tag=111 for a result from a compare operation
tag=115 indicates a search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.
tag=120 for a result from an extended operation
Note tag=100 and tag=115 are not result tags as such. It is unlikely that you will see them in your access log.
Number of Entries
The number of entries, in this case nentries=0, indicates the number of entries that were found matching the LDAP client's request.
Elapsed Time
Elapsed time, in this case etime=1000, indicates the amount of time (in seconds) that it took Directory Server to perform the LDAP operation. An etime value of 0 means that the operation actually took milliseconds to perform. If you want to have microsecond resolution for this item in the access log, enter a value of 131328 (256+131072) in the nsslapd-accesslog-level configuration attribute.
LDAP Request Type
The LDAP request type indicates the type of LDAP request being issued by the LDAP client. Possible values are:
SRCH=search
MOD=modify
DEL=delete
ADD=add
MODDN=moddn
EXT=extended operation
ABANDON=abandon operation
LDAP Response Type
The LDAP response type indicates the LDAP response being issued by the LDAP client. Possible values are:
RESULT=result
ENTRY=entry
REFERRAL=referral or search reference
Unindexed Search Indicator
The unindexed search indicator, notes=U, indicates that the search performed was unindexed, which means that the database itself had to be directly searched instead of the index file. Unindexed searches occur either when the All IDs Threshold was reached within the index file used for the search, when no index file existed, or when the index file was not configured in the way required by the search.
Note An unindexed search indicator is often accompanied by a large etime value, as unindexed searches are generally more time consuming.
Extended Operation OID
An extended operation OID, in this case either EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5", provides the OID of the extended operation being performed. Table 8-1 provides the list of the LDAPv3 extended operations that are supported by Sun ONE Directory Server 5.2, and their OIDs.
Change Sequence Number
The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication change sequence number, indicating that replication is enabled on this particular naming context.
Abandon Message
The abandon message, in this case, [06/Aug/2002:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0, indicates that an operation has been aborted, where nentries=0 indicates the number of entries sent before the operation was aborted, etime=0 indicates how much time (in seconds) had elapsed, and targetop=1 corresponds to an operation value from a previously initiated operation (that appears earlier in the access log).
There are two possible log ABANDON messages depending on whether the message ID succeeds in locating which operation was to be aborted or not. If the message ID succeeds in locating the operation (the targetop) then the log will read as above. However, if the message ID does not succeed in locating the operation or if the operation had already finished prior to the ABANDON request being sent, then the log will read as follows:
[06/Aug/2002:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2
where targetop=NOTFOUND indicates that the operation to be aborted was either an unknown operation or already complete.
Message ID
The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the LDAP SDK client. The message ID may have a different value to the Sun ONE Directory Server Operation Number, but identifies the same operation. The message ID is used in the context of an ABANDON operation and tells the user which client operation is being abandoned.
SASL Multi-Stage Bind Logging
Sun ONE Directory Server 5.2 logging for multi-stage binds is now more explicit. Each stage in the bind process is logged and, where appropriate, the progress statement SASL bind in progress is included.
Access Log Content for Additional Access Logging Levels
This section presents the additional access logging levels available in the Sun ONE Directory Server 5.2 access log.
In Code Example 8-2, access logging level 512, which logs access to entries and referrals, is enabled. In this extract, 6 entries and 1 referral are returned in response to the search request in bold.
In Code Example 8-3, access logging level 4, which logs internal operations, is enabled.
Access log level 4 enables logging for internal operations which log the details of the search being performed, and the search base, scope, filter, and requested search attributes.
Connection Description
The connection description, in this case conn=Internal, indicates that the connection is an internal connection. The operation number op=-1 indicates that the operation was initiated internally.
Options Description
The options description, in this case options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring. They can be configured to return changes to given configurations when changes occur.
Note The Sun ONE Directory Server 5.2 access log distinguishes between persistent and regular searches. Some earlier Directory Server releases did not make this distinction.
In Code Example 8-4, both access logging level 512 and 4 are enabled, which results in both internal access operations, as well as entry access and referrals being logged.
Common Connection Codes
A connection code is a code that is added to the closed log message to provide additional information related to the connection closure. Common connection codes include:
A1=Client aborts the connection.
B1=Corrupt BER tag encountered or BER tag is longer than the nsslapd-maxbersize attribute value. For further information about this configuration attribute, see "nsslapd-maxbersize (Maximum Message Size)".
If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.
B2=BER tag is longer than the nsslapd-maxbersize attribute value. For further information about this configuration attribute, see "nsslapd-maxbersize (Maximum Message Size)".
B3=Corrupt BER tag encountered.
B4=Server failed to flush data response back to client.
P2=Closed or corrupt connection has been detected.
T1=Client does not receive a result within the specified idletimeout period.
T2=Server closed connection after ioblocktimeout period was exceeded.
U1= Connection closed by server after client sends an UNBIND request. The server will always close the connection when it sees an UNBIND request.
LDAP Result Codes
LDAP has a set of operation result codes with which you should be familiar. The following result codes may be generated by the LDAP server:
The following result codes may be generated by LDAP clients: