Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28972-01 |
|
|
PDF · Mobi · ePub |
Directory Proxy Server logs information in access, bind, connection, and error logs. Unlike Directory Server, Directory Proxy Server does not have an audit log. For a description of the logs in Directory Proxy Server, see Chapter 23, Directory Proxy Server Logging, in the Reference for Oracle Directory Server Enterprise Edition.
This chapter covers the following topics:
You can view Directory Proxy Server logs directly through the log files or by using Directory Service Control Center (DSCC).
By default, the logs are stored in this directory:
instance-path/logs
Directory Proxy Server access, bind, connection, and error logs can be configured by using the dpconf
command or DSCC. For information about how to configure the logs by using DSCC, see the Directory Proxy Server online help. This section describes how to configure Directory Proxy Server logs by using the dpconf
command.
You can retrieve a complete list of the configuration options along with the allowed values and default values by running these commands:
$ dpconf help-properties error-log $ dpconf help-properties access-log $ dpconf help-properties bind-log $ dpconf help-properties connection-log
The example in this procedure configures the Directory Proxy Server access log. You can use the same procedure to configure the Directory Proxy Server bind, connection, or error log. Be sure to replace access
with bind
, connection
or error
depending upon the log you are configuring.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the properties of the access log.
$ dpconf get-access-log-prop -h host -p port
The default properties of an access log are as follows:
default-log-level : info enable-log-rotation : true log-buffer-size : 1M log-file-compression : no-compression log-file-name : logs/access log-file-perm : 600 log-level-client-connections : inherited log-level-client-disconnections : inherited log-level-client-operations : inherited log-level-connection-handlers : inherited log-level-data-sources : inherited log-level-data-sources-detailed : none log-min-size : 100M log-rotation-frequency : 1h log-rotation-policy : size log-rotation-size : 100M log-rotation-start-day : - log-rotation-start-time : - log-search-filters : false max-age : unlimited max-log-files : 10 max-size : unlimited min-free-disk-space-size : 10
Change one or more of the properties that are listed in View the properties of the access log..
$ dpconf set-access-log-prop -h host -p port property:value \ [property:value ...]
For example, to set the default log level for all message categories to all
, set the value of the default-log-level
property to all
.
$ dpconf set-access-log-prop -h host1 -p 1389 default-log-level:all
To disable all logs, irrespective of the log level for each message category, set the value of the default-log-level
property to none
.
$ dpconf set-access-log-prop -h host1 -p 1389 default-log-level:none
To reset a specific log level to the default log level, set that log level property to inherited
. For example, to reset the log level for client connections, run the following command:
$ dpconf set-access-log-prop -h host1 -p 1389 log-level-client-connections:inherited
For information about properties that can be set by the set-access-log-prop
subcommand, type:
$ dpconf help-properties access-log
By default, control OIDs are logged in the access log only in the OPERATION category for all operations other than extended
, unbind
and abandon
.
The following is an example of an operation logged in the default mode:
[06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" [06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=scarter)" attrs="*" s_msgid=4 s_conn=dsource-1:753 [06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 s_msgid=4 s_conn=dsource-1:753 etime=0 [06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 etime=2
To enable controls to be logged in all OPERATION
and all SERVER_OP
entries, both for requests and responses, run the following command:
$ dpconf set-server-prop log-control-oids:everywhere
When this property is set to everywhere
, an empty control list means that no control was passed or returned. In the following example a control was sent by the client and forwarded to the backend server. The backend server returned no control, so the list is empty.
[06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" [06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" s_msgid=5 s_conn=dsource-1:744 [06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 s_msgid=5 s_conn=dsource-1:744 etime=0 [06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 etime=1
Directory Proxy Server can log the etimes
in seconds, milliseconds or microseconds. If the server property log-etimes-in-seconds
is set to true
, the etimes
will be logged in seconds with a decimal part. The precision of the decimal part will be determined by the value of the time-resolution
property. If log-etimes-in-seconds
is set to false
(the default), then the etimes
will be integer numbers expressing milliseconds or microseconds, depending on the value of the time-resolution
property.
By default, log files are rotated when the log file size reaches 100 Mbytes. Ten log files are retained by default, after which the rotation procedure begins to overwrite the oldest log file. This section describes how to configure Directory Proxy Server logs for scheduled rotation, how to rotate logs manually, and how to disable log rotation. For example configurations, see Example Configurations for Log Rotation.
The example in this procedure configures the Directory Proxy Server access log. You can use the same procedure to rotate the Directory Proxy Server bind, connection, or error log. Be sure to replace access
with bind
, connection
, or error
depending upon the log you are configuring
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the properties of the access log.
$ dpconf get-access-log-prop -h host -p port
View valid values for the properties of the access log.
$ dpconf help-properties access-log
To rotate logs when they reach a certain size, set the following properties:
$ dpconf set-access-log-prop -h host -p port \ log-rotation-policy:size log-rotation-size:maximum file size
Caution:
In case of high activity levels, because of the asynchronous nature of Directory Proxy Server, the log file might not be rotated at the exact configured size but at a size close to the configured size. This means that the rotated file might end up being slightly smaller or slightly larger than the configured size.
If the unit of the maximum file size is not specified, the default unit of bytes is used. When the log file reaches the defined size, the log is rotated. The file size must be at least 1 Mbyte and no more than 2 Gbytes.
For an example of how to rotate logs by size, see Rotating the Log Based on Log Size.
To rotate logs periodically, irrespective of the log size, set the following properties:
$ dpconf set-access-log-prop -h host -p port \ log-rotation-frequency:interval in months, weeks, hours, or minutes \ log-rotation-policy:periodic \ log-rotation-start-day:day in week (1-7) or day in the month (1-31) \ log-rotation-start-time:time of day (hhmm)
If the log is configured for rotation on the 31st of the month but the month has fewer than 31 days, the log is rotated on the first day of the following month.
By default, the log-rotation-start-day
and log-rotation-start-time
properties have no default value. If you configure to rotate logs without setting these properties, the log will be rotated as per the specified frequency but the time of the day or day of the week might be changed.
For examples of how to rotate logs periodically, see Rotating the Log Based on Time.
To rotate logs periodically if the log file is big enough, set the log-rotation-frequency
and log-min-size
properties.
$ dpconf set-access-log-prop -h host -p port \ log-rotation-frequency:interval in months, weeks, hours, or minutes \ log-rotation-policy:periodic log-min-size:minimum file size log-rotation-start-day:day in week (1-7) or day in the month (1-31) \ log-rotation-start-time:time of day (hhmm)
The log-min-size
property represents the minimum size of the log. The rotation takes place at the scheduled time only if the log file is bigger than the specified size.
If the log is configured for rotation on the 31st of the month but the month has fewer than 31 days, the log is rotated on the first day of the following month.
By default, the log-rotation-start-day
and log-rotation-start-time
properties have no default value. If you configure to rotate logs without setting these properties, the log will be rotated as per the specified frequency but the time of the day or day of the week might be changed.
For an example of how to rotate logs periodically if the file size is big enough, see Rotating the Log Based on Time and Log Size.
To compress log files after a rotation, set the log-file-compression property. Example:
$ dpconf set-access-log-prop -h host -p port log-file-compression:best-speed
When the log-file-compression
option is active, the Directory Proxy Server compresses the log files with every rotation. Compressed files will include the .zip extension. The current file is never compressed.
For best results, set the log-file-compression
property to either no-compression
or best-speed
. Although other values may work, they might take too much time to complete in the current hardware. This could slow down the Directory Proxy Server performance with an insufficient gain in the compression rate. The default value is no-compression, which is compatible with previous versions of the Directory Proxy Server.
Also, note that DSCC will not be able to show compressed log files.
The example in this procedure rotates the Directory Proxy Server access log. You can use the same procedure to rotate the Directory Proxy Server bind, connection, or error log. Be sure to replace access
with bind
, connection
, or error
depending upon the log you are configuring.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Rotate the access log.
$ dpconf rotate-log-now -h host -p port access
The example in this procedure disables rotation of the Directory Proxy Server access log.You can use the same procedure to disable rotation of the Directory Proxy Server bind, connection, or error log. Be sure to replace access
withbind
, connection
, or error
depending upon the log your are configuring.
Disable log file rotation.
$ dpconf set-access-log-prop -h host -p port enable-log-rotation:false
Examples of how to configure log rotation by log size, time, or both follow.
This section example shows how to configure a log rotation according to log size only. This configuration rotates the log when it reaches 10 Mbytes, irrespective of the time since the log was last rotated.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-policy:size \ log-rotation-size:10M
The examples in this section show how to configure log rotation according to the time since the last rotation, irrespective of log size.
This configuration rotates the log after every 10 hours, irrespective of log size.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:10h \ log-rotation-policy:periodic
For example, if the log is rotated at 3:00 today, the next rotations will take place after every 10 hours such as 13:00, 23:00, and 9:00 next day. Without setting log-rotation-start-day
and log-rotation-start-time
, the rotation might not take place everyday at the same time.
This configuration rotates the log at 3:00, 13:00, and 23:00 every day, irrespective of the size of the log file. Because the log-rotation-start-time
parameter takes precedence over the log-rotation-frequency
parameter, the log is rotated 3:00, that is, 4 hours after the last rotation.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:10h \ log-rotation-policy:periodic log-rotation-start-time:0300
This configuration rotates the log at noon on Monday, and then at the same time every week, irrespective of the size of the log file.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:1w \ log-rotation-policy:periodic log-rotation-start-day:2 log-rotation-start-time:1200
This configuration rotates the log at noon on Monday, and then every 3 days, irrespective of the size of the log file.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:3d \ log-rotation-policy:periodic log-rotation-start-day:2 log-rotation-start-time:1200
The log is rotated on the following days: Monday, Thursday, Sunday, Wednesday, and so on. Notice that the log-rotation-start-day
parameter applies to the first week only. The log is not rotated on the Monday of the second week.
This configuration rotates the log at noon on the 22 nd day of the month, and then at the same time every month, irrespective of log size.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:1m \ log-rotation-policy:periodic log-rotation-start-day:22 \ log-rotation-start-time:1200
If the log-rotation-start-day
is set to 31 and the month has only 30 days, the log is rotated on the first day of the following month. If the log-rotation-start-day
is set to 31 and the month has only 28 days (February), the log is rotated on the 3rd.
This example shows how to configure a log rotation for a specified interval if the file size is big enough.
This configuration rotates the log at 3:00, 11:00, and 19:00 every day, if the size of the log file exceeds 1 Mbyte. If the size of the log file does not exceed 1 Mbyte, the log file is not rotated.
$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:8h \ log-rotation-policy:periodic log-min-size:1M log-rotation-start-time:0300
Whichever the rotation policy chosen, the log files can be compressed once they are rotated. This example activates this feature.
$ dpconf set-access-log-prop -h host1 -p 1389 log-file-compression:best-speed
Directory Proxy Server enables you to configure log deletion based on time, size, or free disk space (the default). For more information about these deletion policies, see Log File Deletion in the Reference for Oracle Directory Server Enterprise Edition.
The examples in the following procedures configure log deletion for the access log. You can use the same procedures toconfigure log deletion for bind, connection, or error logs. Be sure to replace access
with bind
, connection
, or error
depending upon the log you are configuring.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Specify the maximum age for log files.
$ dpconf set-access-log-prop -h host -p port max-age:duration
where duration includes a unit of days (d
), weeks (w
), or months (M
). For example, to delete backup log files older than five days, use this command:
$ dpconf set-access-log-prop -h host1 -p 1389 max-age:5d
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Specify the maximum size for log files.
$ dpconf set-access-log-prop -h host -p port max-size:memory-size
For example, to keep only the most recent log files with their aggregate size not more than 5 Mbytes, use this command:
$ dpconf set-access-log-prop -h host1 -p 1389 max-size:5M
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Specify the minimum available disk space.
$ dpconf set-access-log-prop -h host -p port min-free-disk-space-size:memory-size
For example, to delete backup log files when the available disk space is less than 2 Mbytes, use this command:
$ dpconf set-access-log-prop -h host1 -p 1389 min-free-disk-space-size:2M
syslogd
DaemonThis section describes how to configure the logging of alert messages to the syslogd
daemon and how to configure the operating system to accept syslog
alerts.
syslogd
DaemonYou can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the current values of the properties for the system log alerts.
$ dpconf get-server-prop -h host -p port syslog-alerts-enabled \ syslog-alerts-facility syslog-alerts-host
The default properties for the system log alerts are as follows:
syslog-alerts-enabled : false syslog-alerts-facility : USER syslog-alerts-host : localhost
The syslog-alerts-host
property defines the host name of the syslogd
daemon to which the messages are sent. The syslog-alerts-facility
property is read-only and causes messages to be sent to the user
category in the system log.
Enable alert messages to be logged to the syslogd
daemon.
$ dpconf set-server-prop -h host -p port syslog-alerts-enabled:true
Send alert messages to the syslogd
daemon on a different host.
$ dpconf set-server-prop -h host -p port syslog-alerts-host:hostname
syslog
AlertsThis section provides instructions on configuring the Solaris, Linux, and HP-UX operating systems to accept syslog
alerts.
syslog
alertsAdd the appropriate facility to the syslog
configuration file.
For example, to store all alerts using the USER
facility, add the following line to /etc/syslog.conf
:
user.info /var/adm/info
Here /var/adm/info
is an example local directory in which messages will be stored. Ensure that /var/adm/info
exists before continuing.
Restart the syslogd
daemon.
On Solaris 8 and 9, restart syslogd
by typing this:
$ /etc/init.d/syslog stop | start
On Solaris 10, restart syslogd
by typing this:
$ svcadm restart system/system-log
Verify that messages are logged in syslog
.
$ logger -p user.info "Test message" $ cat /var/adm/info Jun 19 17:18:38 host user: [ID 12345 user.info] Test message
syslog
AlertsAdd the appropriate facility to the syslog
configuration file.
For example, to store all alerts using the USER
facility, add the following line to /etc/syslog.conf
:
user.info /var/adm/info
Here /var/adm/info
is an example local directory in which messages will be stored. Ensure that /var/adm/info
exists before continuing.
Configure the syslogd
daemon to run with the -r
option.
This option allows syslogd
to accept connections from the network. By default, the -r
option is not set.
To set the -r
option, add the following line to /etc/sysconfig/syslog
:
SYSLOGD_OPTIONS="-m 0 -r"
If /etc/sysconfig/syslog
does not exist, add the same line to /etc/init.d/syslog
.
Restart the syslogd
daemon.
$ /etc/init.d/syslog stop | start
Verify that messages are logged in syslog
.
$ logger -p user.info "Test message" $ cat /var/adm/info Jun 19 17:18:38 host user: [ID 12345 user.info] Test message
syslog
alertsAdd the appropriate facility to the syslog
configuration file.
For example, to store all alerts using the USER
facility, add the following line to /etc/syslog.conf
:
user.info /var/adm/info
Here /var/adm/info
is an example local directory in which messages will be stored. Ensure that /var/adm/info
exists before continuing.
Restart the syslogd
daemon.
$ /sbin/init.d/syslogd stop | start
Verify that messages are logged in syslog
.
$ logger -p user.info "Test message" $ cat /var/adm/info Jun 19 17:18:38 host user: [ID 12345 user.info] Test message
To track the path of a client request, you must understand how requests are logged in the Directory Proxy Server access log and in the Directory Server access log. To understand this section, first read Tracking Client Requests Through Directory Proxy Server and Directory Server Access Logs in the Reference for Oracle Directory Server Enterprise Edition.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Locate the connection number for the operation that you want to track in the Directory Server access log.
For example, the following line in the access log shows an operation, op=2
with connection number conn=12839
.
[20/Jul/2006:18:01:49 -0500] conn=12839 op=2 msgId=4 - SRCH base="dc=example,dc=com"
scope=2 filter="(objectClass=organizationalunit)" attrs=ALL
Obtain the Directory Proxy Server connection information for that connection.
To obtain this information, search the Directory Server access log to locate all operations with the corresponding connection number. For example, on UNIX systems, run the following grep
command to locate all lines in the Directory Server access log that correspond to connection conn=12839
:
$ grep conn=12839 access
The line showing the initial LDAP connection is what you are looking for and will be similar to this:
[19/Jul/2006:16:32:51 -0500] conn=12839 op=-1 msgId=-1 - fd=27 slot=27 LDAP connection from 129.153.160.175:57153 to 129.153.160.175
The previous line shows that there is an LDAP connection from 129.153.160.175:57153 to Directory Server. The port number (57153) is the information that is required to link the connection back to the Directory Proxy Server access log. The port number enables you to find the corresponding connection in the Directory Proxy Server log, and to locate the client information from this connection.
If the log files have been rotated since the connection was first established, you need to search the archived log files as well as the current access log file.
Locate the corresponding connection in the Directory Proxy Server access log.
To obtain this information, search the Directory Proxy Server access log to locate all operations with the corresponding port number.
You might find multiple entries in the log file with the same port number. To ensure that you locate the correct entry, include the timestamp from the Directory Server log entry in your search.
For example, on UNIX systems, run the following grep
command to locate the connection entry that corresponds to the timestamp and port number found in the Directory Server log:
$ grep 19/Jul/2006:16:32 access | grep 57153
Note that the seconds value is excluded from the timestamp to take into account slight differences in server times.
The corresponding line in the Directory Proxy Server log will be similar to this:
[19/Jul/2006:16:32:51 -0500] - SERVER_OP - INFO - Created BIND LDAP connection
s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153
server=idm160.central.sun.com:9389 main
This line shows that Directory Proxy Server created a BIND
connection to s_conn=sunds-d1m1-9389:34
. Directory Proxy Server identifies itself as the client client=0.0.0.0
on TCP port 57153
.
The important information to extract from this line of the log is the server ID and port number (s_conn=sunds-d1m1-9389:34).
Locate all operations that correspond to the server ID and port number identified in the previous step.
To obtain this information, search the Directory Proxy Server access log for all operations with the corresponding server ID and port number.
For example, on UNIX systems, run the following grep
command to locate the operation that corresponds to the server ID found in the previous step:
$ grep s_conn=sunds-d1m1-9389:34 access
In this case, it is not useful to search for the timestamp because these operations might span several days. However, you must determine that the operations returned by the search are the correct ones. If there are multiple Create
connection statements, ensure that you locate the one that corresponds to the original search statement. To do this, match the timestamp to the timestamp found in Locate the connection number for the operation that you want to track in the Directory Server access log..
The following extract of the Directory Proxy Server access log shows all operations returned for s_conn=sunds-d1m1-9389:34
.
[19/Jul/2006:16:32:51 -0500] - SERVER_OP - INFO - Created BIND LDAP connection s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153 server=idm160.central.sun.com:9389 main [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=0 BIND dn="cn=directory manager" method="SIMPLE" s_msgid=3 s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=0 BIND RESPONSE err=0 msg="" s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=1 SEARCH base="dc=example,dc=com" scope=2 s_msgid=4 s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=1 SEARCH RESPONSE err=0 msg="" nentries=1 s_conn=sunds-d1m1-9389:34
With this information, you can see that the connection ID for this search operation on Directory Proxy Server is 31
(conn=31
).
Locate the client connection IP address that corresponds to the connection ID found in the previous step.
To obtain this information, search the Directory Proxy Server access log for all operations with the correct connection ID and timestamp. The timestamp to use is the one in the original search statement in Locate the connection number for the operation that you want to track in the Directory Server access log..
For example, on UNIX systems, run the following grep
command to locate the client connection IP address:
$ grep "20/Jul/2006:18:01" access | grep conn=31
The line you are interested in is similar to this:
[20/Jul/2006:18:01:49 -0500] - CONNECT - INFO - conn=31 client=129.150.64.156:2031
server=0.0.0.0:11389 protocol=LDAP
A similar line can also be found in the connection log if the connection log was explicitly enabled.
Determine who owns the IP address found in the previous step.
With this information, you can establish precisely who was responsible for the operation performed on Directory Server.