Skip Headers
Oracle® Fusion Middleware Reference for Oracle Directory Server Enterprise Edition
11g Release 1 (

Part Number E28969-01
Go to Documentation Home
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

10 Directory Server Logging

For information about the types of logs used in Directory Server and for a description of the server logs, see the following sections:

10.1 Introduction to Logs

The following table summarizes the different logs used by the Directory Server.

Table 10-1 Logs Used by Directory Server

Log Type Description

Transaction log


Ensuring data integrity by committing each update operation to the transaction log on disk before the result code for the update operation is returned to the client application.

When Directory Server accepts an update operation, it writes a log message about the operation to the transaction log. If the system crashes, Directory Server uses the transaction log to recover the database.

Access log

Flat file

Evaluating directory use patterns, verifying configuration settings, diagnosing access problems. For information about access logs, see Access Logs.

Error log

Flat file

Debugging directory deployments. For information about error logs, see Error Logs.

Audit log

Flat file

Providing audit trails for security and data integrity. For information about audit logs, see Audit Logs.

10.2 Transaction Log

The following server properties configure the transaction log.


How often Directory Server checkpoints the transaction log, ensures the entire database system is synchronized to disk, and cleans up transaction logs


Whether update operations are committed to the transaction log on disk before result codes are sent to clients


The buffer size for log information stored in memory until the buffer fills or the transaction commit forces the buffer to be written to disk


The path of the transaction log


How many updates are accumulated before being committed to the directory database

See server for details.

10.3 Access, Error, and Audit Logs

Access logs, error logs and audit logs are flat files that contain information about operations. For information about how to view and configure logs, see Chapter 14, Directory Server Logging, in Oracle Directory Server Enterprise Edition Administration Guide.

By default, the logs are stored in the directory instance-path/logs/.

Log files can be rotated on demand, or can be scheduled to be rotated on a specific day-of-the week and time of day, or when the log file exceeds a specified minimum size.

Old log files are stored in the same path with the same name and an extension that contains the date that the file was created, in the format filename.YYYYMMDD-hhmmss. The server also maintains a file with the same name and the .rotationinfo extension to record the creation dates of all log files.

For information about access logs, error logs and audit logs, see the following sections:

10.3.1 Access Logs

Access logs contain information about connections between an LDAP client and a directory server. A connection is a sequence of requests from the same client, and can contain the following components:

  • Connection index and the IP address of the client

  • Bind record

  • Bind result record

  • Sequence of operation request/result pairs, or individual records in the case of connection, closed, and abandon records

  • Unbind record

  • Closed record

10.3.2 Error Logs

Error logs contain a unique identifier of the error, warning or information message, and a human readable message. Errors are defined according to the following severity.


The error is severe. Immediate action should be taken to avoid the loss or corruption of directory data.


The error is important. Action should be taken at some stage to prevent a severe error occurring in the future.


An informative message, usually describing server activity. No action is necessary.

10.3.3 Audit Logs

Audit logs contain records of all modifications to configuration or suffix entries. The modifications are written in LDIF format.

Audit logging is not enabled by default. To enable audit logging, use the procedure To Enable the Audit Log in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.3.4 Content of Access, Error, and Audit Logs

The remainder of this chapter describes each of the parts of the log files. Time Stamp

Each line of an access log file begins with a timestamp of this format:[20/Dec/2006:11:39:51 -0700]. The time stamp, -0700 indicates the time difference in relation to GMT.

The format of the time stamp can vary according to your platform. The connection, closed, and abandon records appear individually. All other records appear in pairs, consisting of a request for service record followed by a result record. The record pairs usually, but not exclusively, appear on adjacent lines. Connection Number

The connection number is represented by conn=value. Every external request is listed with an incremental connection number.

When conn=Internal the operation is an internal operation. To log internal access operations, specify an access logging level of acc-internal in the dsconf configuration attribute. File Descriptor

The file descriptor is represented by fd=value.

Every connection from an external LDAP client to a directory server requires a file descriptor from the operating system. The file descriptor is taken from a pool of available file descriptors. Slot Number

The slot number has the same meaning as file descriptor. Slot number is a legacy section of the access log and can be ignored. Operation Number

The operation number is represented by op=value.

For a connection, all operation request and result pairs are given incremental operation numbers beginning with op=0. The operation number identifies the operation being performed.

When op=-1, the LDAP request for the connection was not issued by an external LDAP client, but was initiated internally. Method Type

The method type is represented by method=value.

The method type indicates which bind method was used by the client. The method type can have one of the following values.


No authentication


Simple bind with user password


SASL bind using external authentication mechanism LDAP Version

The LDAP version can be LDAPv2 or LDAPv3. The LDAP version gives the LDAP version number that the LDAP client used to communicate with the LDAP server. Error Number

The error number is represented by err=number.

The error number provides the LDAP result code returned from the LDAP operation. The LDAP error number 0 means that the operation was successful. For a list of LDAP result codes refer to Result Codes in Log Files. Tag Number

The tag number is represented by tag=value.

The tags are used internally for message decoding and are not intended for use outside. The following tags are used most often.


A client bind operation


The entry for which you were searching


The result from a search operation


The result from a modify operation


The result from an add operation


The result from a delete operation


The result from a modify DN operation


The result from a compare operation


A search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.


A result from an extended operation Number of Entries

The number of entries is represented by nentries=value.

The number of entries indicates the number of entries that matched an LDAP search request. Elapsed Time

The elapsed time is represented by etime=value.

Elapsed time indicates the time that it took to perform the LDAP operation. An etime value of 0 means that the operation took milliseconds to perform.

To log the time in microseconds, specify an access logging level of acc-timing in the dsconf configuration attribute. LDAP Request Type

The LDAP request type indicates the type of LDAP request made by the client. The following types of LDAP requests can be made:










Modify DN


Extended operation


Abandon operation


Compare operation LDAP Response Type

The LDAP response type indicates the LDAP response being returned by the server. The following LDAP responses can be returned:






Referral or search reference Unindexed Search Indicator

The unindexed search indicator is represented by notes=U.

In an unindexed search, the database is searched instead of the index file. Unindexed searches occur for the following reasons:

  • The all IDs threshold was reached in the index file used for the search

  • An index file does not exist

  • The index file is not configured in the way required by the search

An unindexed search indicator is often accompanied by a large etime value because unindexed searches are usually more time consuming than indexed searches. Extended Operation OID

An extended operation OID is represented by EXT oid="OID number". See extended-operations for a list of supported extended operations. Change Sequence Number in Log Files

The replication change sequence number is represented in log files by csn=value.

The presence of a change sequence number indicates that replication is enabled for this naming context. Abandon Message

The abandon message is represented by ABANDON.

The presence of the abandon message indicates that an operation has been aborted. If the message ID succeeds in locating the operation that has been aborted, the log message reads as follows:

conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0

However, if the message ID does not succeed in locating the operation, or if the operation had already finished prior to the ABANDON request being sent, then the log message reads as follows:

conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2

The abandon message uses the following parameters:


Gives the number of entries sent before the operation was aborted


Gives the number of seconds that elapsed before the operation was aborted


Identifies the operation to be aborted. If the value is NOTFOUND, the operation to be aborted was either an unknown operation or already complete Message ID

The message ID is represented by msgId=value.

The message ID is the LDAP operation identifier generated by the client. The message ID can have a different value to the operation number, but identifies the same operation. The message ID in an ABANDON operation specifies which client operation is being abandoned.

The operation number starts counting at 0. However, in many client implementations the message ID number starts counting at 1. This explains why the message ID is frequently equal to the operation number plus 1. SASL Multi-Stage Bind Logging

Directory Server logs each stage in the multi stage bind process and, where appropriate, the progress statement SASL bind in progress is included.

The DN used for access control decisions is logged in the BIND result line and not in the bind request line.

conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=myname,dc=example,dc=com"

For SASL binds, the DN value displayed in the BIND request line is not used by the server and is, therefore, not relevant. However, for SASL binds, the authenticated DN must be used for audit purposes. Therefore, the authenticated DN must be clearly logged. Having the authenticated DN logged in the BIND result line avoids any confusion as to which DN is which. Options Description

The options description, options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring and can be configured to return changes to given configurations. The access log distinguishes between persistent and regular searches.

10.3.5 Connection Codes in Log Files

A connection code is included in the closing message of a log file. The connection code provides additional information about why the connection was closed. The following table describes the common connection codes.

10.3.6 Result Codes in Log Files

The following tables summarizes the LDAP result codes generated by an LDAP server and an LDAP client.

Table 10-2 Summary of Result Codes for LDAP Servers

Result Code Description




Operations error


Protocol error


Time limit exceeded


Size limit exceeded


Compare false


Compare true


Authentication method not supported


Strong authentication required


Partial results and referral received


Referral received


Administrative limit exceeded


Unavailable critical extension


Confidentiality required


SASL bind in progress


No such attribute


Undefined attribute type


Inappropriate matching


Constraint violation


Type or value exists


Invalid syntax


No such object


Alias problem


Invalid DN syntax


Object is a leaf


Alias de-referencing problem


Inappropriate authentication


Invalid credentials


Insufficient access


Server is busy


Server is unavailable


Server is unwilling to perform


Loop detected


Naming violation


Object class violation


Operation not permitted on a non-leaf entry


Operation not permitted on a RDN


Entry already exists


Cannot modify object class


Results too large


Affects multiple servers


Virtual list view error

Table 10-3 Summary of Result Codes for LDAP Clients

Result Code Description


Unknown error


Cannot contact LDAP server


Local error


Encoding error


Decoding error


Timed out


Unknown authentication method


Bad search filter


User cancelled operation


Bad parameter to an LDAP routine


Out of memory


Cannot connect to the LDAP server


Not supported by this version of LDAP


Requested LDAP control not found


No results returned


Additional results to return


Client detected loop


Referral hop limit exceeded