Sun Java(TM) System Directory Server 5.2 2005Q1 Administration Guide |
Chapter 13
Monitoring Directory Server Using Log FilesThis chapter describes how to monitor Directory Server by configuring a logging policy and analyzing the status information maintained by the server.
Directory Server provides three types of logs:
The status information in the server includes statistics about connections and cache activity. This information is available through Directory Server Console and in monitoring entries available through the LDAP command-line tools. For information on using SNMP to monitor your server, see Chapter 14, "Monitoring Directory Server Using SNMP."
This chapter contains the following sections:
Defining Log File PoliciesThe following sections describe how to define log file creation and deletion policies.
Defining a Log File Rotation Policy
If you want the directory to periodically archive the current log and start a new one, you can define a log file rotation policy from Directory Server Console. You can configure the following parameters:
- The total number of logs you want the directory to keep. When the directory reaches this number of logs, it deletes the oldest log file in the folder before creating a new log. The default is 10 logs. Do not set this value to 1. If you do, the directory will not rotate the log and the log will grow indefinitely.
- The maximum size (in MB) for each log file. If you do not want to set a maximum size, type -1 in this field. The default is 100 MB. Once a log file reaches this maximum size (or the maximum age defined in the next step), the directory archives the file and starts a new one. If you set the maximum number of logs to 1, the directory ignores this attribute.
- How often the directory archives the current log file and creates a new one by entering a number of minutes, hours, days, weeks, or months. The default is every day. If you set the maximum number of logs to 1, the directory ignores this attribute.
Defining a Log File Deletion Policy
If you want the directory to automatically delete old archived logs, you can define a log file deletion policy from Directory Server Console. The log deletion policy only makes sense if you have previously defined a log file rotation policy. Log file deletion will not work if you have just one log file.
The server evaluates and applies the log file deletion policy at the time of log rotation.
You can configure the following parameters:
- The maximum size of the combined archived logs. When the maximum size is reached, the oldest archived log is automatically deleted. If you do not want to set a maximum size, type -1 in this field. The default is 500 MB. This parameter is ignored if the number of log files is set to 1.
- The minimum amount of free disk space. When the free disk space reaches this minimum value, the oldest archived log is automatically deleted. The default is 5 MB. This parameter is ignored if the number of log files is set to 1.
- The maximum age of log files. When a log file reaches this maximum age, it is automatically deleted. The default is 1 month. This parameter is ignored if the number of log files is set to 1.
Manual Log File Rotation
You can manually rotate log files if you have not set automatic log file creation or deletion policies. By default, access, errors, and audit log files can be found in the following directory:
ServerRoot/slapd-serverID/logs
To manually rotate log files:
- Shut down the server. See Starting and Stopping Directory Server for instructions.
- Move or rename the log file you are rotating in case you need the old log file for future reference.
- Restart the server. See Starting and Stopping Directory Server for instructions.
The server automatically creates new files according to each log configuration.
Access LogThe access log contains detailed information about client connections to the directory. The Directory Server Resource Kit provides a log analyzer tool, logconv.pl, that enables you to analyze Directory Server access logs. The log analyzer tool extracts usage statistics and counts the occurrences of significant events. For more information this tool, refer to the Directory Server Resource Kit Tools Reference.
Viewing the Access Log
- On the top-level Status tab of Directory Server Console, select the Logs icon, and then select the Access Log tab in the right-hand panel.
- This tab displays a table containing the latest entries in the selected access log, as shown in the following figure. For an explanation of the access messages, see the Directory Server Administration Reference.
Figure 13-1 Viewing Log Contents
- To refresh the current display, click Refresh. Select the Continuous checkbox if you want the display to refresh automatically every ten seconds.
- To view a different access log file, select it from the Select Log drop-down menu.
- To display a different number of messages, enter the number you want to view in the "Lines to show" text box and then click Refresh.
- To filter the log messages you can enter a string in the "Show only lines containing" text box and then click Refresh. You can also select the Do Not Show Console Logs checkbox, to filter out any message that originated from the console's connections to the server.
- To modify the columns of the table of log entries, click View Options. Use the controls of the View Options dialog to change the order of the columns, add or remove columns, and choose a column on which to sort the table.
Configuring the Access Log
You can configure a number of settings to customize the access log, including where the directory stores the access log and the creation and deletion policies.
You can also disable access logging for the directory. You may do this because the access log can grow very quickly (every 2,000 accesses to your directory will increase your access log by approximately 1 MB). However, before you turn off access logging, consider that the access log provides beneficial troubleshooting information.
To configure the access log:
- On the top-level Configuration tab of Directory Server Console, select the Logs icon, and then select the Access Log tab in the right-hand panel.
This tab contains configuration settings for the access log, as shown in Figure 13-2:
Figure 13-2 Configuration Panel for Log File Rotation and Deletion
- To enable access logging, select the Enable Logging checkbox.
Clear this checkbox if you do not want the directory to maintain an access log.
Access logging is enabled by default.
- In the Log File field, enter the full path and filename you want the directory to use for the access log. The default file is:
ServerRoot/slapd-serverID/logs/access
- Set the maximum number of logs, log size, and archive period.
For information on these parameters, see Defining a Log File Rotation Policy.
- Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file.
For information on these parameters, see Defining a Log File Deletion Policy.
- When you have finished making changes, click Save.
Errors LogThe errors log contains detailed messages of errors and events the directory experiences during normal operation.
Viewing the Errors Log
- On the top-level Status tab of Directory Server Console, select the Logs icon, and then select the Errors Log tab in the right-hand panel.
This tab displays a table containing the latest entries in the selected errors log, such as the one shown in Figure 13-1. For an explanation of error messages, see the Directory Server Administration Reference.
- To refresh the current display, click Refresh. Select the Continuous checkbox to refresh the display automatically every ten seconds.
- To view an archived errors log, select it from the Select Log pull-down menu.
- To specify a different number of messages, enter the number you want to view in the "Lines to show" text box and click Refresh.
- To filter the log messages you can enter a string in the "Show only lines containing" text box and then click Refresh. You can also select the Do Not Show Console Logs checkbox, to filter out any error message that originated from the console's connections to the server.
- To modify the columns of the table of log entries, click View Options. Use the controls of the View Options dialog to change the order of the columns, add or remove columns, and choose a column on which to sort the table.
Configuring the Errors Log
You can change several settings for the errors log, including where the directory stores the log and what you want the directory to include in the log.
To configure the errors log:
- On the top-level Configuration tab of Directory Server Console, select the Logs icon, and then select the Errors Log tab in the right-hand panel.
This tab contains configuration settings for the errors log, such as those shown in Figure 13-2.
- To enable error logging, select the Enable Logging checkbox.
Clear this checkbox if you do not want the directory to maintain an errors log. Error logging is enabled by default.
- To set the level of detail in the errors log, click the Log Level button to display the Errors Log Level dialog. Select one or more internal product components for which you want more error and debugging information. Optionally, select the Verbose checkbox to return the maximum amount of runtime output, including trivial messages.
Changing these values from the defaults may cause your errors log to grow very rapidly, so you must plan to have plenty of disk space. It is recommended that you do not change your logging level unless you are asked to do so by Sun Java System Customer Support.
- In the Log File field, enter the full path and filename you want the directory to use for the errors log. The default file is:
ServerRoot/slapd-serverID/logs/error
- Set the maximum number of logs, log size, and archiving period.
For information on these parameters, see Defining a Log File Rotation Policy.
- Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file.
For information on these parameters, see Defining a Log File Deletion Policy.
- When you have finished making changes, click Save.
Audit LogThe audit log contains detailed information about changes made to each suffix as well as to server configuration. Unlike the access log and errors log, the audit log is not enabled by default. Before viewing the log, you must enable it.
Configuring the Audit Log
You can use Directory Server Console to enable and disable audit logging and to specify where the audit log file is stored.
To configure the audit log:
- On the top-level Configuration tab of Directory Server Console, select the Logs icon, and then select the Audit Log tab in the right-hand panel.
This tab contains configuration settings for the audit log, such as those shown in Figure 13-2.
- To enable audit logging, select the Enable Logging checkbox.
To disable audit logging, clear the checkbox. By default, audit logging is disabled.
- In the Log File field, enter the full path and filename you want the directory to use for the audit log. The default file is:
ServerRoot/slapd-serverID/logs/audit
- Set the maximum number of logs, log size, and archiving period.
For information on these parameters, see Defining a Log File Rotation Policy.
- Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file.
For information on these parameters, see Defining a Log File Deletion Policy.
- When you have finished making changes, click Save.
Viewing the Audit Log
- On the top-level Status tab of Directory Server Console, select the Logs icon, and then select the Audit Log tab in the right-hand panel.
This tab displays a table containing the latest entries in the selected audit log, such as the one shown in Figure 13-1.
- To refresh the current display, click Refresh. Select the Continuous checkbox to refresh the display automatically every ten seconds.
- To view an archived audit log, select it from the Select Log pull-down menu.
- To display a different number of messages, enter the number you want to view in the "Lines to show" text box and click Refresh.
- To filter the log messages you can enter a string in the "Show only lines containing" text box and then click Refresh.
Monitoring Server ActivityThe server always maintains counters and statistics about its activity, for example the number of connections, operations, and cache activity for all suffixes. This information can help you troubleshoot any errors and observe the performance of your server. You can monitor Directory Server's current activities from Directory Server Console or from the command line.
Many of the parameters that can be monitored reflect Directory Server performance and may be influenced by configuration and tuning. For more information about the configurable attributes and how to tune them, see the Directory Server Performance Tuning Guide.
Monitoring Your Server Using the Console
- On the top-level Status tab of Directory Server Console, select the server icon at the root of the status tree.
The right-hand panel displays current information about server activity. If the server is currently not running, this tab will not provide performance monitoring information.
- Click Refresh to refresh the current display. If you want the server to continuously update the displayed information, select the Continuous checkbox.
This server status panel shows:
- The date and time the server was started.
- The current date and time on server. When replication is enabled, you should periodically check that the dates on each server do not begin to diverge.
- The Resource Summary Table. For each of the following resources, the table lists the total number since startup and the average per minute since startup.
- The Current Resource Usage Table. This table shows the following resources that were in use when the panel was last refreshed.
- The Connection Status Table. This table shows the following information about each currently open connection.
- Click on the Suffixes node in the left-hand status tree. This panel displays monitoring information about the entry cache and index usage in the database cache of each suffix, as shown in the following figure.
Figure 13-3 Suffix Monitoring Panel
Set the refresh mode if desired. Click on Display Suffixes at the bottom of the panel to select which suffixes will be listed in the tables.
- The first table shows the following information about each entry cache.
The following tables show access to the database cache of each suffix.
- The first table shows the access to the database cache through the configured indexes. From the list of attribute names, select the one for which you wish to see index statistics. The table will show data only for suffixes in which the chosen attribute is indexed.
- The Entry Access table shows access to the database caches to retrieve entries.
- The Totals in the last table show all combined access to all database caches.
All three tables have the following columns:
- Below the tables, the following page evicts are cumulative for all database caches. Pages discarded from the cache have to be written to disk, possibly affecting server performance. The lower the number of page evicts, the better:
- Read-write page evicts - Indicates the number of read-write pages discarded from the cache to make room for new pages. This value differs from Pages Written Out in that these are discarded read-write pages that have not been modified.
- Read-only page evicts - Indicates the number of read-only pages discarded from the caches to make room for new pages.
- If applicable, click on the Chained Suffixes node in the left-hand status tree. This panel displays information about access to the chained suffixes configured in your directory. Set the refresh mode if desired.
Select the DN of a chained suffix in the list to view its statistics. The table to the right lists the count of all different operations performed on the chained suffix.
Monitoring Your Server From the Command Line
You can monitor Directory Server's current activities from any LDAP client by performing a search operation on the following entries:
where dbName is the database name of the suffix that you want to monitor. Note that except for information about each connection, by default, the cn=monitor entry is readable by anyone, including clients bound anonymously.
The following example shows how to view the general server statistics:
ldapsearch -h host -p port -D "cn=Directory Manager" -w password \
-s base -b "cn=monitor" "(objectclass=*)"For the description of all monitoring attributes available in these entries, see the Directory Server Administration Reference.