test

Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Chapter 27 Directory Proxy Server Logging

Directory Proxy Server logs information in access logs and error logs. Unlike Directory Server, Directory Proxy Server does not have an audit log. For a description of the logs in Directory Proxy Server, see Chapter 23, Directory Proxy Server Logging, in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

This chapter covers the following topics:

Viewing Directory Proxy Server Logs

You can view Directory Proxy Server logs directly through the log files or by using Directory Service Control Center (DSCC).

By default, the logs are stored in this directory:


instance-path/logs

The following figure shows a screen capture of the error log for Directory Proxy Server on DSCC.

Figure 27–1 Error Log Window for Directory Proxy Server

Screen capture shows the error log for Directory Proxy Server. The error log entries are listed in a table.

Configuring Directory Proxy Server Logs

Directory Proxy Server error logs and access logs can be configured by using the dpconf command or DSCC. For information about how to configure the logs by using DSCC, see the Directory Proxy Server online help. This section describes how to configure Directory Proxy Server logs by using the dpconf command.

You can retrieve a complete list of the configuration options along with the allowed values and default values by running these commands:

$ dpconf help-properties error-log
$ dpconf help-properties access-log

ProcedureTo Configure Directory Proxy Server Access and Error Logs

This procedure configures the Directory Proxy Server access log. To configure the Directory Proxy Server error log, perform the same procedure but replace access with error.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. View the properties of the access log.


    $ dpconf get-access-log-prop -h host -p port

    The default properties of an access log are as follows:


    default-log-level                :  info
enable-log-rotation				  :  true
log-buffer-size                  :  9.8k
log-file-name                    :  logs/access
log-file-perm                    :  600
log-level-client-connections     :  -
log-level-client-disconnections  :  -
log-level-client-operations      :  -
log-level-connection-handlers    :  -
log-level-data-sources           :  -
log-level-data-sources-detailed  :  -
log-min-size						  :  100M
log-rotation-frequency           :  1h
log-rotation-policy              :  size
log-rotation-size                :  100M
log-rotation-start-day           :  1
log-rotation-start-time          :  0000
log-search-filters               :  false
max-age                          :  unlimited
max-log-files                    :  10
max-size                         :  unlimited
min-free-disk-space-size         :  1M

  2. Change one or more of the properties that are listed in Step 1.


    $ dpconf set-access-log-prop -h host -p port property:value \
 [property:value ...]

    For example, to set the default log level for all message categories to warning, set the value of the default-log-level property to warning.


    $ dpconf set-access-log-prop -h host1 -p 1389 default-log-level:warning

    To disable all logs, irrespective of the log level for each message category, set the value of the default-log-level property to none.


    $ dpconf set-access-log-prop -h host1 -p 1389 default-log-level:none

    To reset a specific log level to the default log level, set that log level property to inherited. For example, to reset the log level for client connections, run the following command:


    $ dpconf set-access-log-prop -h host1 -p 1389 log-level-client-connections:inherited

    For information about properties that can be set by the set-access-log-prop subcommand, type:


    $ dpconf help-properties access-log

Configuring Directory Proxy Server Log Rotation

By default, log files are rotated when the log file size reaches 100 Mbytes. Ten log files are retained by default, after which the rotation procedure begins to overwrite the oldest log file. This section describes how to configure Directory Proxy Server logs for scheduled rotation, how to rotate logs manually, and how to disable log rotation. For example configurations, see Example Configurations for Log Rotation.

ProcedureTo Configure Periodic Rotation of Access and Error Logs

This procedure configures the Directory Proxy Server access log. To configure the Directory Proxy Server error log, perform the same procedure but replace access with error.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. (Optional) View the properties of the access log.


    $ dpconf get-access-log-prop -h host -p port

  2. (Optional) View valid values for the properties of the access log.

    $ dpconf help-properties access-log

  3. To rotate logs when they reach a certain size, set the following properties:


    $ dpconf set-access-log-prop -h host -p port \
 log-rotation-policy:size log-rotation-size:maximum file size

    If the unit of the maximum file size is not specified, the default unit of bytes is used. When the log file reaches the defined size, the log is rotated. The file size must be at least 1 Mbyte and no more than 2 Gbytes.

    For an example of how to rotate logs by size, see Rotating the Log Based on Log Size.

  4. To rotate logs periodically, irrespective of the log size, set the following properties:


    $ dpconf set-access-log-prop -h host -p port \
 log-rotation-frequency:interval in months, weeks, hours, or minutes \
 log-rotation-policy:periodic \
 log-rotation-start-day:day in week (1-7) or day in the month (1-31) \
 log-rotation-start-time:time of day (hhmm)

    If the log is configured for rotation on the 31st of the month but the month has fewer than 31 days, the log is rotated on the first day of the following month.

    For examples of how to rotate logs periodically, see Rotating the Log Based on Time.

  5. To rotate logs periodically if the log file is big enough, set the log-rotation-frequency and log-min-size properties.


    $ dpconf set-access-log-prop -h host -p port \
 log-rotation-frequency:interval in months, weeks, hours, or minutes \
 log-rotation-policy:periodic log-min-size:minimum file size
 log-rotation-start-day:day in week (1-7) or day in the month (1-31) \
 log-rotation-start-time:time of day (hhmm)

    The log-min-size property represents the minimum size of the log. The rotation takes place at the scheduled time only if the log file is bigger than the specified size.

    If the log is configured for rotation on the 31st of the month but the month has fewer than 31 days, the log is rotated on the first day of the following month.

    For an example of how to rotate logs periodically if the file size is big enough, see Rotating the Log Based on Time and Log Size.

ProcedureTo Rotate Access and Error Logs Files Manually

This procedure rotates the Directory Proxy Server access log. To rotate the Directory Proxy Server error log, perform the same procedure but replace access with error.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Rotate the access log.


    $ dpconf rotate-log-now -h host -p port access

ProcedureTo Disable Access and Error Log Rotation

This procedure disables rotation of the Directory Proxy Server access log. To disable rotation of the Directory Proxy Server error log, perform the same procedure but replace access with error.

  1. Disable log file rotation.


    $ dpconf set-access-log-prop -h host -p port enable-log-rotation:false

Example Configurations for Log Rotation

Examples of how to configure log rotation by log size, time, or both follow.

Rotating the Log Based on Log Size

This section example shows how to configure a log rotation according to log size only. This configuration rotates the log when it reaches 10 Mbytes, irrespective of the time since the log was last rotated.


$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-policy:size \
  log-rotation-size:10M

Rotating the Log Based on Time

The examples in this section show how to configure log rotation according to the time since the last rotation, irrespective of log size.

If the log-rotation-start-day is set to 31 and the month has only 30 days, the log is rotated on the first day of the following month. If the log-rotation-start-day is set to 31 and the month has only 28 days (February), the log is rotated on the 3rd.

Rotating the Log Based on Time and Log Size

This example shows how to configure a log rotation for a specified interval if the file size is big enough.

This configuration rotates the log at 3:00, 11:00, and 19:00 every day, if the size of the log file exceeds 1 Mbyte. If the size of the log file does not exceed 1 Mbyte, the log file is not rotated.


$ dpconf set-access-log-prop -h host1 -p 1389 log-rotation-frequency:8h \
 log-rotation-policy:periodic log-min-size:1M log-rotation-start-time:0300

Deleting Directory Proxy Server Logs

Directory Proxy Server enables you to configure log deletion based on time, size, or free disk space (the default). For more information about these deletion policies, see Log File Deletion in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

The following procedures configure log deletion for the access log. To configure log deletion for the error log, use the same commands, but replace access with error.

ProcedureTo Configure Access and Error Log Deletion Based on Time

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Specify the maximum age for log files.


    $ dpconf set-access-log-prop -h host -p port max-age:duration

    where duration includes a unit of days (d), weeks (w), or months (M). For example, to delete backup log files older than five days, use this command:


    $ dpconf set-access-log-prop -h host1 -p 1389 max-age:5d

ProcedureTo Configure Access and Error Log Deletion Based on File Size

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Specify the maximum size for log files.


    $ dpconf set-access-log-prop -h host -p port max-size:memory-size

    For example, to delete backup log files greater than 1 Mbyte, use this command:


    $ dpconf set-access-log-prop -h host1 -p 1389 max-size:1M

ProcedureTo Configure Access and Error Log Deletion Based on Free Disk Space

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Specify the minimum available disk space.


    $ dpconf set-access-log-prop -h host -p port min-free-disk-space-size:memory-size

    For example, to delete backup log files when the available disk space is less than 2 Mbytes, use this command:


    $ dpconf set-access-log-prop -h host1 -p 1389 min-free-disk-space-size:2M

Logging Alerts to the syslogd Daemon

This section describes how to configure the logging of alert messages to the syslogd daemon and how to configure the operating system to accept syslog alerts.

ProcedureTo Configure Directory Proxy Server to Log Alerts to the syslogd Daemon

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. (Optional) View the current values of the properties for the system log alerts.


    $ dpconf get-server-prop -h host -p port syslog-alerts-enabled \
 syslog-alerts-facility syslog-alerts-host

    The default properties for the system log alerts are as follows:


    syslog-alerts-enabled   :  false
syslog-alerts-facility  :  USER
syslog-alerts-host      :  localhost

    The syslog-alerts-host property defines the host name of the syslogd daemon to which the messages are sent. The syslog-alerts-facility property is read-only and causes messages to be sent to the user category in the system log.

  2. Enable alert messages to be logged to the syslogd daemon.


    $ dpconf set-server-prop -h host -p port syslog-alerts-enabled:true

  3. (Optional) Send alert messages to the syslogd daemon on a different host.


    $ dpconf set-server-prop -h host -p port syslog-alerts-host:hostname

Configuring the Operating System to Accept syslog Alerts

This section provides instructions on configuring the SolarisTM, Linux, and HP-UX operating systems to accept syslog alerts.

ProcedureTo Configure the Solaris OS to Accept syslog alerts

  1. Add the appropriate facility to the syslog configuration file.

    For example, to store all alerts using the USER facility, add the following line to /etc/syslog.conf:

    user.info       /var/adm/info

    Here /var/adm/info is an example local directory in which messages will be stored. Ensure that /var/adm/info exists before continuing.

  2. Restart the syslogd daemon.

    1. On Solaris 8 and 9, restart syslogd by typing this:

      $ /etc/init.d/syslog stop | start

    2. On Solaris 10, restart syslogd by typing this:

      $ svcadm restart system/system-log

  3. Verify that messages are logged in syslog.

    $ logger -p user.info "Test message"
$ cat /var/adm/info
 Jun 19 17:18:38 host user: [ID 12345 user.info] Test message

ProcedureTo Configure Linux to Accept syslog Alerts

  1. Add the appropriate facility to the syslog configuration file.

    For example, to store all alerts using the USER facility, add the following line to /etc/syslog.conf:

    user.info       /var/adm/info

    Here /var/adm/info is an example local directory in which messages will be stored. Ensure that /var/adm/info exists before continuing.

  2. Configure the syslogd daemon to run with the -r option.

    This option allows syslogd to accept connections from the network. By default, the -r option is not set.

    To set the -r option, add the following line to /etc/sysconfig/syslog:

    SYSLOGD_OPTIONS="-m 0 -r"

    If /etc/sysconfig/syslog does not exist, add the same line to /etc/init.d/syslog.

  3. Restart the syslogd daemon.

    $ /etc/init.d/syslog stop | start

  4. Verify that messages are logged in syslog.

    $ logger -p user.info "Test message"
$ cat /var/adm/info
 Jun 19 17:18:38 host user: [ID 12345 user.info] Test message

ProcedureTo Configure HP-UX to Accept syslog alerts

  1. Add the appropriate facility to the syslog configuration file.

    For example, to store all alerts using the USER facility, add the following line to /etc/syslog.conf:

    user.info       /var/adm/info

    Here /var/adm/info is an example local directory in which messages will be stored. Ensure that /var/adm/info exists before continuing.

  2. Restart the syslogd daemon.

    $ /sbin/init.d/syslogd stop | start

  3. Verify that messages are logged in syslog.

    $ logger -p user.info "Test message"
$ cat /var/adm/info
 Jun 19 17:18:38 host user: [ID 12345 user.info] Test message

Tracking Client Requests Through Directory Proxy Server and Directory Server Access Logs

To track the path of a client request, you must understand how requests are logged in the Directory Proxy Server access log and in the Directory Server access log. To understand this section, first read Tracking Client Requests Through Directory Proxy Server and Directory Server Access Logs in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

ProcedureTo Track Operations From Directory Server Through Directory Proxy Server to the Client Application

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Locate the connection number for the operation that you want to track in the Directory Server access log.

    For example, the following line in the access log shows an operation, op=2 with connection number conn=12839.


    [20/Jul/2006:18:01:49 -0500] conn=12839 op=2 msgId=4 - SRCH base="dc=example,dc=com" 
 scope=2 filter="(objectClass=organizationalunit)" attrs=ALL

  2. Obtain the Directory Proxy Server connection information for that connection.

    To obtain this information, search the Directory Server access log to locate all operations with the corresponding connection number. For example, on UNIX systems, run the following grep command to locate all lines in the Directory Server access log that correspond to connection conn=12839:


    $ grep conn=12839 access

    The line showing the initial LDAP connection is what you are looking for and will be similar to this:


    [19/Jul/2006:16:32:51 -0500] conn=12839 op=-1 msgId=-1 - fd=27 slot=27 
 LDAP connection from 129.153.160.175:57153 to 129.153.160.175

    The previous line shows that there is an LDAP connection from 129.153.160.175:57153 to Directory Server. The port number (57153) is the information that is required to link the connection back to the Directory Proxy Server access log. The port number enables you to find the corresponding connection in the Directory Proxy Server log, and to locate the client information from this connection.

    If the log files have been rotated since the connection was first established, you need to search the archived log files as well as the current access log file.

  3. Locate the corresponding connection in the Directory Proxy Server access log.

    To obtain this information, search the Directory Proxy Server access log to locate all operations with the corresponding port number.

    You might find multiple entries in the log file with the same port number. To ensure that you locate the correct entry, include the timestamp from the Directory Server log entry in your search.

    For example, on UNIX systems, run the following grep command to locate the connection entry that corresponds to the timestamp and port number found in the Directory Server log:


    $ grep 19/Jul/2006:16:32 access | grep 57153

    Note that the seconds value is excluded from the timestamp to take into account slight differences in server times.

    The corresponding line in the Directory Proxy Server log will be similar to this:


    [19/Jul/2006:16:32:51 -0500] - SERVER_OP  - INFO  - Created BIND  LDAP connection 
 s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153 
 server=idm160.central.sun.com:9389 main

    This line shows that Directory Proxy Server created a BIND connection to s_conn=sunds-d1m1-9389:34. Directory Proxy Server identifies itself as the client client=0.0.0.0 on TCP port 57153.

    The important information to extract from this line of the log is the server ID and port number (s_conn=sunds-d1m1-9389:34).

  4. Locate all operations that correspond to the server ID and port number identified in the previous step.

    To obtain this information, search the Directory Proxy Server access log for all operations with the corresponding server ID and port number.

    For example, on UNIX systems, run the following grep command to locate the operation that corresponds to the server ID found in the previous step:


    $ grep s_conn=sunds-d1m1-9389:34 access

    In this case, it is not useful to search for the timestamp because these operations might span several days. However, you must determine that the operations returned by the search are the correct ones. If there are multiple Create connection statements, ensure that you locate the one that corresponds to the original search statement. To do this, match the timestamp to the timestamp found in Step 1.

    The following extract of the Directory Proxy Server access log shows all operations returned for s_conn=sunds-d1m1-9389:34.


    [19/Jul/2006:16:32:51 -0500] - SERVER_OP  - INFO - Created BIND LDAP connection
 s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153 server=idm160.central.sun.com:9389 main
[20/Jul/2006:18:01:49 -0500] - SERVER_OP  - INFO  - conn=31 op=0 BIND dn="cn=directory manager"
 method="SIMPLE" s_msgid=3 s_conn=sunds-d1m1-9389:34
[20/Jul/2006:18:01:49 -0500] - SERVER_OP  - INFO  - conn=31 op=0 BIND RESPONSE err=0 msg=""
 s_conn=sunds-d1m1-9389:34
[20/Jul/2006:18:01:49 -0500] - SERVER_OP  - INFO  - conn=31 op=1 SEARCH base="dc=example,dc=com"
 scope=2 s_msgid=4 s_conn=sunds-d1m1-9389:34
[20/Jul/2006:18:01:49 -0500] - SERVER_OP  - INFO  - conn=31 op=1 SEARCH RESPONSE err=0 msg=""
 nentries=1 s_conn=sunds-d1m1-9389:34

    With this information, you can see that the connection ID for this search operation on Directory Proxy Server is 31 (conn=31).

  5. Locate the client connection IP address that corresponds to the connection ID found in the previous step.

    To obtain this information, search the Directory Proxy Server access log for all operations with the correct connection ID and timestamp. The timestamp to use is the one in the original search statement in Step 1.

    For example, on UNIX systems, run the following grep command to locate the client connection IP address:


    $ grep "20/Jul/2006:18:01" access | grep conn=31

    The line you are interested in is similar to this:


    [20/Jul/2006:18:01:49 -0500] - CONNECT - INFO  - conn=31 client=129.150.64.156:2031
server=0.0.0.0:11389 protocol=LDAP

  6. Determine who owns the IP address found in the previous step.

    With this information, you can establish precisely who was responsible for the operation performed on Directory Server.