Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun ONE Directory Server Resource Kit 5.2 Tools Reference 

Chapter 24
The Log Analyzer Tool

The tool analyzes the access logs of Sun™ ONE Directory Server. It extracts usage statistics and counts the occurrences of significant events. This chapter provides instructions on how to use It contains the following sections:

Overview is a Perl script that analyzes the access logs of Sun ONE Directory Server in order to extract usage statistics and count the occurrences of significant events. It is compatible with log formats from Directory Server 3.x, 4.x, and 5.x.


Some information extracted by the script is available only in Sun ONE Directory Server 5.x logs thus, the corresponding values will be zero when analyzing logs from other versions. In addition, some information will only be present in the logs if verbose logging is enabled in your directory server. For more information, see “nsslapd-accesslog-level” in Chapter 4 of the Sun ONE Directory Server Reference Manual.

The DSRK includes the tool in the DSRK_base/perl directory.


This script requires Perl version 5.005_03 or later. See Third-Party Sources of Information for links to Perl resources.

Statistics for Display

The tool displays three types of statistics that administrators will find useful for monitoring and optimizing directory usage. They are:

Tool Performance

The following issues will affect the output and performance of this tool:

Customizing the Script

If you customize the script for added functionality, we encourage you to share your work with other LDAP users. Please post a message to the iplanet.server.idsrk public newsgroup with your ideas or your code.

Command Usage analyzes access logs by extracting usage statistics and counting the occurrences of significant events. The tool will extract the following information from access logs:


The syntax of on the command-line takes the following form: [options] [-efcibaltnxgju | -E errorCode ] accessLog ...



The command-line options are described in Table 24-1. Regardless of the order of options on the command-line, the lists will appear in the output in the order they are listed in this table. Use the -V option to display all optional output. Also, use the -s number option to control the length of these lists. The -h command will display the usage help text that briefly describes all options.


The parameters without a preceding dash (-) at the end of the table will enable the optional lists of occurrences. Specify only those you need to limit the output and improve execution speed. You may specify any number of these parameters in any order, but they must all be given together as a single option on the command-line, for example: -abcefg.

Table 24-1  Command-Line Options for 






Specify the DN (distinguished name) of the directory manager in the logs being analyzed. This allows the tool to collect statistics for this special user. The mgrDN parameter should be given in double quotes ("") for the shell. When this parameter is omitted, will use the default manager DN of Sun ONE Directory Server: "cn=directory manager".



Enable DNS lookup on IP addresses found in the log file so that machine names appear in the output instead.



Specify the IP address of a client to exclude from the statistics. This client will not appear in lists of IP addresses (the i flag), and the connection codes it generates will not be tallied in the total connections (default statistic) nor in the connection code details (the c flag). For example, you may wish to ignore the effect of a load balancer that connects to the directory server a regular intervals. This option may be repeated to exclude multiple IP addresses.



Display the version number of the script.



Display the usage help text that briefly describes all options.



Display only the information about the given, numeric error code. When using this option, the tool will not display the summary of all log information, it will only give the count and the list of the given error’s occurrences. This option is incompatible with all of the following options.



Enable the most verbose output. With this option, will compute and display all of the optional lists described below.



Specify the number of items in each of the list options below. The default is 20 when this parameter is omitted. For example, -s 10 -i will list the ten client machines that access the server most often. This parameter applies to all lists that are enabled.



List the most frequent error and return codes.



List the bind DNs with the most failed logins (invalid password).



List the number of occurrences for each type of connection code.



List the IP addresses and connection codes of the clients with the most connections. This option helps to detect clients that may be trying to compromise security.



List the most frequently used bind DNs.



List the most frequent base DNs when performing operations.



List the most frequently used filter strings for searches.



List the longest and most frequent etimes (elapsed operation time).



List the largest and most frequent nentries (entries per result).



List the number and OID of all extended operations (DS 5.x only).



List the names of the most requested attributes (DS 5.x only).



List the details of all abandoned operations.



Give recommendations based on data collected from the log file.



Give operation details about unindexed searches.

Command-Line Examples

Following are two examples showing how the tool can be used.

Error Code Listing

The following command shows how to track error code listings. It defines error code 49 as the one to track.

$ perl -N -E 49 logs/access

Code Example 24-1 shows the output of the specific error code (-E 49), corresponding to a failed login with a bad password. The listing contains machine names (-N) instead of IP addresses to make it more readable. The number in the first column is the number of repeated occurrences of the same error message.

Code Example 24-1  Error Code Listing Sample Output

Error (49) Count: 5

Parsing & Sorting...

Number  Operation  Client                  Object


3          BIND    (        cn=Directory Manager

1          BIND    (localhost)             cn=Directory Manager

1          BIND    (        uid=bjensen

Verbose Output

The following command shows how to record a verbose output. The tool will read all access logs in the logs directory (ignoring access.rotationinfo files). After processing the log files, it displays all access statistics and event counters and shows the lists of most frequent connection and operation values, with the top 10 in each category (-s 10). It ends with a set of general recommendations triggered by certain values or events.


There are many possible recommendations depending on the statistics and occurrences of certain events. The recommendations are based on general administration guidelines and should be adapted to fit the actual usage of your directory server.

$ perl -V -s 10 \

Code Example 24-2  Sample Verbose Output for 

verbose output enabled

Log Analyzer 4.11

Initializing Variables...

Processing 3 Access Log(s)...

access (Total Lines: 5870)

        1000 Lines Processed

        2000 Lines Processed

        3000 Lines Processed

        4000 Lines Processed

        5000 Lines Processed

*       5870 Lines Processed      Total Lines Processed:  5870

access.20010713-130613 (Total Lines: 7912)

        1000 Lines Processed

        2000 Lines Processed

        3000 Lines Processed

        4000 Lines Processed

        5000 Lines Processed

        6000 Lines Processed

        7000 Lines Processed

*       7912 Lines Processed      Total Lines Processed: 13782

access.20010714-150617 (Total Lines: 6338)

        1000 Lines Processed

        2000 Lines Processed

        3000 Lines Processed

        4000 Lines Processed

        5000 Lines Processed

        6000 Lines Processed

*       6338 Lines Processed      Total Lines Processed: 20120

* Total Lines Analyzed: 20120

----------- Access Log Output ------------

Start of Log:  18/Jul/2001:13:08:18

End of Log:    18/Jul/2001:17:05:07

Restarts: 1

Total Connections: 4002

Total Operations: 14818

Total Results: 14908

Overall Performance: 100.6%

Searches: 4354

Modifications: 27

Adds: 26

Deletes: 30

Mod RDNs: 0

5.x Stats

Persistent Searches: 1

Internal Operations: 0

Entry Operations: 0

Extended Operations: 6935

Abandoned Requests: 29

Smart Referrals Received: 0

VLV Operations: 49

VLV Unindexed Searches: 49

SORT Operations: 44

SSL Connections: 0

Entire Search Base Queries: 3912

Unindexed Searches: 1

  Unindexed Search #1

  - Date/Time: 18/Jul/2001:13:33:19

  - Connection Number: 2926

  - Operation Number: 1

  - Etime: 0

  - Nentries: 4001

  - IP Address:

  - Bind DN: cn=directory manager

  - Search Filter: (objectclass=*)

FDs Taken: 3448

FDs Returned: 3446

Highest FD Taken: 89

Broken Pipes: 0

Connections Reset By Peer: 0

Resource Unavailable: 1

  - 1 (T1) Idle Timeout Exceeded

Binds: 3446

Unbinds: 3438

 LDAP v2 Binds: 1

 LDAP v3 Binds: 3445

 Expired Password Logins:     0

 SSL Client Binds: 0

 Failed SSL Client Binds: 0

 SASL Binds: 1


 Directory Manager Binds: 16

 Anonymous Binds: 1

 Other Binds: 3429

----- Errors -----

err=0 14737 Successful Operations

err=32 75 No Such Object

err=12 62 Unavailable Critical Extension

err=10 3 Referral Received

err=49 1 Invalid Credentials (Bad Password)

err=65 1 Objectclass Violation

----- Top 10 Failed Logins ------

1 uid=rmanager,cn=config

----- Total Connection Codes -----

U1 3437 Cleanly Closed Connections

B1 8 Bad Ber Tag Encountered

T1 1 Idle Timeout Exceeded

----- Top 10 Clients -----

Number of Clients: 2

3440 123.456.789.001

                  3429 - U1 Cleanly Closed Connections

                     8 - B1 Bad Ber Tag Encountered

                     1 - T1 Idle Timeout Exceeded


                     8 - U1 Cleanly Closed Connections

----- Top 10 Bind DN’s -----

Number of Unique Bind DN’s: 8

3422 uid=rmanager,cn=config

14 cn=dm

5 uid=aa,cn=config

1 Anonymous Binds

1 uid=rmanager

1 cn=dma,cn=config

1 dc=dm

1 cn=dma

----- Top 10 Search Bases -----

Number of Unique Search Bases: 73

3519            root dse

256             ou=people,dc=example,dc=com

82              cn=ldbm database, cn=plugins, cn=config

57              cn=monitor

51              dc=example,dc=com

48              cn=config

30              cn=mapping tree,cn=config

28              cn=Babs Jensen,ou=peopled,c=example,dc=com

22              cn=plugins,cn=config

20              cn=features,cn=config

----- Top 10 Search Filters -----

Number of Unique Search Filters: 31

3502 (objectclass=*)

408 (|(objectclass=*)(objectclass=ldapsubentry))

119 (uid=*)

88 (objectclass=nsbackendinstance)

6 (nsslapd-backend=userroot)

6 (nsslapd-plugintype=database)

4 (uid=bjensen)

4 (objectclass=subschema)

4 (objectclass=nsindex)

3 (cn=config)

----- Top 10 Most Frequent etimes -----

14634 etime=0

229 etime=1

9 etime=2

3 etime=7

1 etime=8

1 etime=3

1 etime=4

1 etime=5

----- Top 10 Longest etimes -----

etime=8 1

etime=7 3

etime=5 1

etime=4 1

etime=3 1

etime=2 9

etime=1 229

etime=0 14634

----- Top 10 Largest nentries -----

nentries=25 5

nentries=11 2

nentries=10 2

nentries=9 2

nentries=8 1

nentries=5 1

nentries=4 16

nentries=3 62

nentries=2 37

nentries=1 3986

nentries=0 239

----- Top 10 Most returned nentries -----

3986 nentries=1

239 nentries=0

62 nentries=3

37 nentries=2

16 nentries=4

5 nentries=25

2 nentries=10

2 nentries=11

2 nentries=9

1 nentries=5

----- 5.x Extended Operations -----

3454    2.16.840.1.113730.3.5.3    Start Replication Request

                                     (incremental update)

3438    2.16.840.1.113730.3.5.5    End Replication Request

                                   (incremental update)

43      2.16.840.1.113730.3.5.6    Replication Entry Request

----- Top 10 Most Requested Attributes -----

3420 supportedControl

3420 supportedExtension

360 All Attributes

341 numSubordinates

328 objectClass

315 nsAccountLock

144 nsBackendSuffix

104 nsslapd-suffix

36 dn

32 cn

----- Abandon Request Stats -----

 - SRCH conn=2 op=10 msgid=1092 client=

 - BIND conn=2 op=0 msgid=1119 client=

----- Recommendations -----

 1. You have unindexed searches, this can be caused from a search on a unindexed attribute, or your returned results exceeded the allidsthreshold. Unindexed searches are not acceptable, please make any configuration changes necessary to resolve these searches!

 2. You have some connections that are are being closed by the idletimeout setting. You may want to increase the idletimeout if it is set low.

 3. You have a high number of searches that query the entire search base. Although this is not necessarily bad, it could be resource intensive if the search base contains many entries.

Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.