13 Directory Server Logging

This chapter describes how to manage Directory Server logs.

If you want information to assist you in defining a logging strategy, use the logging policy information in Designing a Logging Strategy in the Deployment Planning Guide for Oracle Directory Server Enterprise Edition.

For a description of the log files and their contents, see Chapter 10, Directory Server Logging, in the Reference for Oracle Directory Server Enterprise Edition.

This chapter covers the following topics:

• Log Analysis Tool

• Viewing Directory Server Logs

• Configuring Logs for Directory Server

• Rotating Directory Server Logs Manually

13.1 Log Analysis Tool

The Directory Server Resource Kit provides a log analysis tool, logconv, that enables you to analyze Directory Server access logs. The log analysis tool extracts usage statistics. It also counts the occurrences of significant events. For more information about this tool, see the logconv man page.

13.2 Viewing Directory Server Logs

You can view the logs directly on the server in the default instance-path/logs file. If you have modified the default path, you can find the log file location using the dsconf command as follows:

$ dsconf get-log-prop -h host -p port log-type path

Alternatively, you can view the log files through Directory Service Control Center (DSCC). DSCC enables you to view and sort the log entries.

13.2.1 To Tail Directory Server Logs

You can use the dsadm command to display a specified number of lines of the Directory Server logs, or to display log entries younger than a specified age. This example tails the error log. To tail the access log, use show-access-log instead of show-error-log.

1. Display error log entries younger than a certain age.

   $ dsadm show-error-log -A duration instance-path
   

   You must specify a unit for the duration. For example, to display error log entries younger than 24 hours, type:

   $ dsadm show-error-log -A 24h /local/dsInst
   

2. Display a specified number of lines from the error log (starting from the end).

   $ dsadm show-error-log -L last-lines instance-path
   

   The number of lines is expressed as an integer. For example, to display the last 100 lines, type:

   $ dsadm show-error-log -L 100 /local/dsInst
   

   If you do not specify a value, the default number of lines displayed is 20.

13.3 Configuring Logs for Directory Server

Many aspects of the log files can be modified. Some examples include the following:

• Enabling the audit log

  Unlike the access log and the errors log, the audit log is not enabled by default. For information, see To Enable the Audit Log.

• General settings

  • Enabling or disabling logging

  • Enabling or disabling log buffering

  • Log file location

  • Verbose logging

  • Log level

• Log rotation settings.

  • Creation of new logs at regular time intervals

  • Maximum log file size before a new log file is created

• Log deletion settings

  • Maximum file age before deletion

  • Maximum file size before deletion

  • Minimum free disk space before deletion

The following procedures describe how to modify log configuration and how to enable the audit log.

13.3.1 To Modify Log Configuration

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

1. View the settings for the log that you want to modify.

   $ dsconf get-log-prop -h host -p port log-type
   

   For example, to list the existing error log settings, type:

   $ dsconf get-log-prop -h host1 -p 1389 error
   Enter "cn=Directory Manager" password:
   buffering-enabled         :  off
   enabled                   :  on
   level                     :  default
   max-age                   :  1M
   max-disk-space-size       :  100M
   max-file-count            :  2
   max-size                  :  100M
   min-free-disk-space-size  :  5M
   path                      :  /tmp/ds1/logs/errors
   perm                      :  600
   rotation-interval         :  1w
   rotation-min-file-size    :  unlimited
   rotation-time             :  undefined
   verbose-enabled           :  off
   

2. Set the new value.

   Set the value that you want for the property.

   $ dsconf set-log-prop -h host -p port log-type property:value
   

   For example, to set the rotation interval for the error log to two days, use this command:

   $ dsconf set-log-prop -h host1 -p 1389 error rotation-interval:2d
   

13.3.2 To Enable the Audit Log

Unlike the access log and errors log, the audit log is not enabled by default. Before viewing the audit log, you must enable it.

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

Enable the audit log.

$ dsconf set-log-prop -h host -p port audit enabled:on

13.3.3 To Configure Directory Server Control OIDs in the Access Log

By default, control OIDs are logged in the access log only in the OPERATION category for all operations other than extended, unbind and abandon.

The following is an example of an operation logged in the default mode:

[06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*"
[06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=scarter)" attrs="*" s_msgid=4 s_conn=dsource-1:753
[06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 s_msgid=4 s_conn=dsource-1:753 etime=0
[06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 etime=2

To enable controls to be logged in all OPERATION and all SERVER_OP entries, both for requests and responses, run the following command:

$ dsconf set-server-prop log-control-oids:everywhere 

When this property is set to everywhere, an empty control list means that no control was passed or returned. In the following example a control was sent by the client and forwarded to the backend server. The backend server returned no control, so the list is empty.

[06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*"
[06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" s_msgid=5 s_conn=dsource-1:744
[06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 s_msgid=5 s_conn=dsource-1:744 etime=0
[06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 etime=1

13.4 Rotating Directory Server Logs Manually

If you have a log that is getting very large, you can manually rotate the log at any time. Rotation backs up the existing log file and creates a fresh log file.

13.4.1 To Rotate Log Files Manually

You can use the web interface Directory Service Control Center (DSCC) to perform this task.

Rotate the log file.

$ dsconf rotate-log-now -h host -p port log-type

For example, to rotate the access log:

$ dsconf rotate-log-now -h host1 -p 1389 access