Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28972-01 |
|
|
PDF · Mobi · ePub |
This chapter describes how to manage Directory Server logs.
If you want information to assist you in defining a logging strategy, use the logging policy information in Designing a Logging Strategy in the Deployment Planning Guide for Oracle Directory Server Enterprise Edition.
For a description of the log files and their contents, see Chapter 10, Directory Server Logging, in the Reference for Oracle Directory Server Enterprise Edition.
This chapter covers the following topics:
The Directory Server Resource Kit provides a log analysis tool, logconv
, that enables you to analyze Directory Server access logs. The log analysis tool extracts usage statistics. It also counts the occurrences of significant events. For more information about this tool, see the logconv man page.
You can view the logs directly on the server in the default instance-path
/logs
file. If you have modified the default path, you can find the log file location using the dsconf
command as follows:
$ dsconf get-log-prop -h host -p port log-type path
Alternatively, you can view the log files through Directory Service Control Center (DSCC). DSCC enables you to view and sort the log entries.
You can use the dsadm
command to display a specified number of lines of the Directory Server logs, or to display log entries younger than a specified age. This example tails the error log. To tail the access log, use show-access-log
instead of show-error-log
.
Display error log entries younger than a certain age.
$ dsadm show-error-log -A duration instance-path
You must specify a unit for the duration. For example, to display error log entries younger than 24 hours, type:
$ dsadm show-error-log -A 24h /local/dsInst
Display a specified number of lines from the error log (starting from the end).
$ dsadm show-error-log -L last-lines instance-path
The number of lines is expressed as an integer. For example, to display the last 100 lines, type:
$ dsadm show-error-log -L 100 /local/dsInst
If you do not specify a value, the default number of lines displayed is 20.
Many aspects of the log files can be modified. Some examples include the following:
Enabling the audit log
Unlike the access log and the errors log, the audit log is not enabled by default. For information, see To Enable the Audit Log.
General settings
Enabling or disabling logging
Enabling or disabling log buffering
Log file location
Verbose logging
Log level
Log rotation settings.
Creation of new logs at regular time intervals
Maximum log file size before a new log file is created
Log deletion settings
Maximum file age before deletion
Maximum file size before deletion
Minimum free disk space before deletion
The following procedures describe how to modify log configuration and how to enable the audit log.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the settings for the log that you want to modify.
$ dsconf get-log-prop -h host -p port log-type
For example, to list the existing error log settings, type:
$ dsconf get-log-prop -h host1 -p 1389 error Enter "cn=Directory Manager" password: buffering-enabled : off enabled : on level : default max-age : 1M max-disk-space-size : 100M max-file-count : 2 max-size : 100M min-free-disk-space-size : 5M path : /tmp/ds1/logs/errors perm : 600 rotation-interval : 1w rotation-min-file-size : unlimited rotation-time : undefined verbose-enabled : off
Set the new value.
Set the value that you want for the property.
$ dsconf set-log-prop -h host -p port log-type property:value
For example, to set the rotation interval for the error log to two days, use this command:
$ dsconf set-log-prop -h host1 -p 1389 error rotation-interval:2d
Unlike the access log and errors log, the audit log is not enabled by default. Before viewing the audit log, you must enable it.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Enable the audit log.
$ dsconf set-log-prop -h host -p port audit enabled:on
By default, control OIDs are logged in the access log only in the OPERATION category for all operations other than extended
, unbind
and abandon
.
The following is an example of an operation logged in the default mode:
[06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" [06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH base="dc=example,dc=com" scope=2 filter="(uid=scarter)" attrs="*" s_msgid=4 s_conn=dsource-1:753 [06/Oct/2011:13:57:39 +0200] - SERVER_OP - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 s_msgid=4 s_conn=dsource-1:753 etime=0 [06/Oct/2011:13:57:39 +0200] - OPERATION - INFO - conn=0 op=0 SEARCH RESPONSE err=0 msg="" nentries=1 etime=2
To enable controls to be logged in all OPERATION
and all SERVER_OP
entries, both for requests and responses, run the following command:
$ dsconf set-server-prop log-control-oids:everywhere
When this property is set to everywhere
, an empty control list means that no control was passed or returned. In the following example a control was sent by the client and forwarded to the backend server. The backend server returned no control, so the list is empty.
[06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 msgid=1 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" [06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH base="dc=example,dc=com" scope=2 controls="1.3.6.1.4.1.42.2.27.9.5.8" filter="(uid=scarter)" attrs="*" s_msgid=5 s_conn=dsource-1:744 [06/Oct/2011:13:53:19 +0200] - SERVER_OP - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 s_msgid=5 s_conn=dsource-1:744 etime=0 [06/Oct/2011:13:53:19 +0200] - OPERATION - INFO - conn=3 op=0 SEARCH RESPONSE err=0 controls="" msg="" nentries=1 etime=1
If you have a log that is getting very large, you can manually rotate the log at any time. Rotation backs up the existing log file and creates a fresh log file.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Rotate the log file.
$ dsconf rotate-log-now -h host -p port log-type
For example, to rotate the access log:
$ dsconf rotate-log-now -h host1 -p 1389 access