For information about the types of logs used in Directory Server and for a description of the server logs, see the following sections:
The following table summarizes the different logs used by the Directory Server.
Table 10–1 Logs Used by Directory Server| Log | Type | Description | 
|---|---|---|
| Transaction log | Database | Ensuring data integrity by committing each update operation to the transaction log on disk before the result code for the update operation is returned to the client application. When Directory Server accepts an update operation, it writes a log message about the operation to the transaction log. If the system crashes, Directory Server uses the transaction log to recover the database. | 
| Access log | Flat file | Evaluating directory use patterns, verifying configuration settings, diagnosing access problems. For information about access logs, see Access Logs. | 
| Error log | Flat file | Debugging directory deployments. For information about error logs, see Error Logs. | 
| Audit log | Flat file | Providing audit trails for security and data integrity. For information about audit logs, see Audit Logs. | 
The following server properties configure the transaction log.
How often Directory Server checkpoints the transaction log, ensures the entire database system is synchronized to disk, and cleans up transaction logs
Whether update operations are committed to the transaction log on disk before result codes are sent to clients
The buffer size for log information stored in memory until the buffer fills or the transaction commit forces the buffer to be written to disk
The path of the transaction log
How many updates are accumulated before being committed to the directory database
See server(5dsconf) for details.
Access logs, error logs and audit logs are flat files that contain information about operations. For information about how to view and configure logs, see Chapter 14, Directory Server Logging, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
By default, the logs are stored in the directory instance-path/logs/.
Log files can be rotated on demand, or can be scheduled to be rotated on a specific day-of-the week and time of day, or when the log file exceeds a specified minimum size.
Old log files are stored in the same path with the same name and an extension that contains the date that the file was created, in the format filename.YYYYMMDD-hhmmss. The server also maintains a file with the same name and the .rotationinfo extension to record the creation dates of all log files.
For information about access logs, error logs and audit logs, see the following sections:
Access logs contain information about connections between an LDAP client and a directory server. A connection is a sequence of requests from the same client, and can contain the following components:
Connection index and the IP address of the client
Bind record
Bind result record
Sequence of operation request/result pairs, or individual records in the case of connection, closed, and abandon records
Unbind record
Closed record
Error logs contain a unique identifier of the error, warning or information message, and a human readable message. Errors are defined according to the following severity.
The error is severe. Immediate action should be taken to avoid the loss or corruption of directory data.
The error is important. Action should be taken at some stage to prevent a severe error occurring in the future.
An informative message, usually describing server activity. No action is necessary.
Audit logs contain records of all modifications to configuration or suffix entries. The modifications are written in LDIF format.
Audit logging is not enabled by default. To enable audit logging, use the procedure To Enable the Audit Log in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
The remainder of this chapter describes each of the parts of the log files.
Each line of an access log file begins with a timestamp of this format:[20/Dec/2006:11:39:51 -0700]. The time stamp, -0700 indicates the time difference in relation to GMT.
The format of the time stamp can vary according to your platform. The connection, closed, and abandon records appear individually. All other records appear in pairs, consisting of a request for service record followed by a result record. The record pairs usually, but not exclusively, appear on adjacent lines.
The connection number is represented by conn=value. Every external request is listed with an incremental connection number.
When conn=Internal the operation is an internal operation. To log internal access operations, specify an access logging level of acc-internal in the dsconf configuration attribute.
The file descriptor is represented by fd=value.
Every connection from an external LDAP client to a directory server requires a file descriptor from the operating system. The file descriptor is taken from a pool of available file descriptors.
The slot number has the same meaning as file descriptor. Slot number is a legacy section of the access log and can be ignored.
The operation number is represented by op=value.
For a connection, all operation request and result pairs are given incremental operation numbers beginning with op=0. The operation number identifies the operation being performed.
When op=-1, the LDAP request for the connection was not issued by an external LDAP client, but was initiated internally.
The method type is represented by method=value.
The method type indicates which bind method was used by the client. The method type can have one of the following values.
No authentication
Simple bind with user password
SASL bind using external authentication mechanism
The LDAP version can be LDAPv2 or LDAPv3. The LDAP version gives the LDAP version number that the LDAP client used to communicate with the LDAP server.
The error number is represented by err=number.
The error number provides the LDAP result code returned from the LDAP operation. The LDAP error number 0 means that the operation was successful. For a list of LDAP result codes refer to Result Codes in Log Files.
The tag number is represented by tag=value.
The tags are used internally for message decoding and are not intended for use outside. The following tags are used most often.
A client bind operation
The entry for which you were searching
The result from a search operation
The result from a modify operation
The result from an add operation
The result from a delete operation
The result from a modify DN operation
The result from a compare operation
A search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.
A result from an extended operation
The number of entries is represented by nentries=value.
The number of entries indicates the number of entries that matched an LDAP search request.
The elapsed time is represented by etime=value.
Elapsed time indicates the time that it took to perform the LDAP operation. An etime value of 0 means that the operation took milliseconds to perform.
To log the time in microseconds, specify an access logging level of acc-timing in the dsconf configuration attribute.
The LDAP request type indicates the type of LDAP request made by the client. The following types of LDAP requests can be made:
Search
Modify
Delete
Add
Modify DN
Extended operation
Abandon operation
Compare operation
The LDAP response type indicates the LDAP response being returned by the server. The following LDAP responses can be returned:
Result
Entry
Referral or search reference
The unindexed search indicator is represented by notes=U.
In an unindexed search, the database is searched instead of the index file. Unindexed searches occur for the following reasons:
The all IDs threshold was reached in the index file used for the search
An index file does not exist
The index file is not configured in the way required by the search
An unindexed search indicator is often accompanied by a large etime value because unindexed searches are usually more time consuming than indexed searches.
An extended operation OID is represented by EXT oid="OID number". See extended-operations(5dsconf) for a list of supported extended operations.
The replication change sequence number is represented in log files by csn=value.
The presence of a change sequence number indicates that replication is enabled for this naming context.
The abandon message is represented by ABANDON.
The presence of the abandon message indicates that an operation has been aborted. If the message ID succeeds in locating the operation that has been aborted, the log message reads as follows:
conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0
However, if the message ID does not succeed in locating the operation, or if the operation had already finished prior to the ABANDON request being sent, then the log message reads as follows:
conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2
The abandon message uses the following parameters:
Gives the number of entries sent before the operation was aborted
Gives the number of seconds that elapsed before the operation was aborted
Identifies the operation to be aborted. If the value is NOTFOUND, the operation to be aborted was either an unknown operation or already complete
The message ID is represented by msgId=value.
The message ID is the LDAP operation identifier generated by the client. The message ID can have a different value to the operation number, but identifies the same operation. The message ID in an ABANDON operation specifies which client operation is being abandoned.
The operation number starts counting at 0. However, in many client implementations the message ID number starts counting at 1. This explains why the message ID is frequently equal to the operation number plus 1.
Directory Server logs each stage in the multi stage bind process and, where appropriate, the progress statement SASL bind in progress is included.
The DN used for access control decisions is logged in the BIND result line and not in the bind request line.
conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=myname,dc=example,dc=com"
For SASL binds, the DN value displayed in the BIND request line is not used by the server and is, therefore, not relevant. However, for SASL binds, the authenticated DN must be used for audit purposes. Therefore, the authenticated DN must be clearly logged. Having the authenticated DN logged in the BIND result line avoids any confusion as to which DN is which.
The options description, options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring and can be configured to return changes to given configurations. The access log distinguishes between persistent and regular searches.
A connection code is included in the closing message of a log file. The connection code provides additional information about why the connection was closed. The following table describes the common connection codes.
Table 10–2 Summary of Connection Codes
The following tables summarizes the LDAP result codes generated by an LDAP server and an LDAP client.
Table 10–3 Summary of Result Codes for LDAP Servers| Result Code | Description | 
|---|---|
| 0 | Success | 
| 1 | Operations error | 
| 2 | Protocol error | 
| 3 | Time limit exceeded | 
| 4 | Size limit exceeded | 
| 5 | Compare false | 
| 6 | Compare true | 
| 7 | Authentication method not supported | 
| 8 | Strong authentication required | 
| 9 | Partial results and referral received | 
| 10 | Referral received | 
| 11 | Administrative limit exceeded | 
| 12 | Unavailable critical extension | 
| 13 | Confidentiality required | 
| 14 | SASL bind in progress | 
| 16 | No such attribute | 
| 17 | Undefined attribute type | 
| 18 | Inappropriate matching | 
| 19 | Constraint violation | 
| 20 | Type or value exists | 
| 21 | Invalid syntax | 
| 32 | No such object | 
| 33 | Alias problem | 
| 34 | Invalid DN syntax | 
| 35 | Object is a leaf | 
| 36 | Alias de-referencing problem | 
| 48 | Inappropriate authentication | 
| 49 | Invalid credentials | 
| 50 | Insufficient access | 
| 51 | Server is busy | 
| 52 | Server is unavailable | 
| 53 | Server is unwilling to perform | 
| 54 | Loop detected | 
| 64 | Naming violation | 
| 65 | Object class violation | 
| 66 | Operation not permitted on a non-leaf entry | 
| 67 | Operation not permitted on a RDN | 
| 68 | Entry already exists | 
| 69 | Cannot modify object class | 
| 70 | Results too large | 
| 71 | Affects multiple servers | 
| 76 | Virtual list view error | 
Table 10–4 Summary of Result Codes for LDAP Clients
| Result Code | Description | 
|---|---|
| 80 | Unknown error | 
| 81 | Cannot contact LDAP server | 
| 82 | Local error | 
| 83 | Encoding error | 
| 84 | Decoding error | 
| 85 | Timed out | 
| 86 | Unknown authentication method | 
| 87 | Bad search filter | 
| 88 | User cancelled operation | 
| 89 | Bad parameter to an LDAP routine | 
| 90 | Out of memory | 
| 91 | Cannot connect to the LDAP server | 
| 92 | Not supported by this version of LDAP | 
| 93 | Requested LDAP control not found | 
| 94 | No results returned | 
| 95 | Additional results to return | 
| 96 | Client detected loop | 
| 97 | Referral hop limit exceeded |