Sun Java System Directory Server Enterprise Edition 6.2 Reference

Access Logs for Directory Proxy Server

Access logs contain information about the requests being processed by Directory Proxy Server. Access logs contain information about two types of connection:

Connections between clients and Directory Proxy Server
Connections between Directory Proxy Server and data sources

Access log messages are categorized according to the cause of the message. The following table lists the categories of messages that can be included in the access log.

Table 23–2 Message Categories for Access Logs


Category Name	Category Description
`CONNECT`	Information about a client connection
`DISCONNECT`	Information about a client disconnection
`OPERATION`	Information about operations requested by a client
`PROFILE`	Information about the profiles of a connection handler
`SERVER_OP`	Information about operations that are forwarded to data sources
`SERVER_OP_DETAIL`	Detailed information about operations that are forwarded to data sources

Access Log Levels

Each message category can be configured with one of the following log-levels:

none No access messages are included in the log file.
info Informational messages are included in the log file.
all All messages are included in the log file. In most cases, this setting produces the same results as the info setting. In certain situations, this setting enables additional debugging messages to be logged.
inherited The log level is inherited from the value of the default-log-level property.

By default, the log level for each message category is info.

The log-level of a message category works in conjunction with the severity level of a message to determine which messages are included in the log file. For more information, see Message Severity.

Format of an Access Log Message

An access log message has this format:

timestamp - category - severity - connectionNumber operationNumber
  messageID operationType messageText

Example 23–2 shows an extract of an access log. The log shows a client request that starts with a message in the CONNECT category and ends with a message in the DISCONNECT category. The operation requested by the client is shown by the message in the OPERATION category, and results in several messages in the SERVER_OP category. The logged messages have the INFO and DEBUG severity.

Example 23–2 Extract of an Access Log

[07/17/2005:17:29:45 +0200] - CONNECT    - INFO  - conn=1591031 
  client=129.157.192.132:49216 server=0.0.0.0:9389 protocol=LDAP
[07/17/2005:17:29:45 +0200] - OPERATION  - INFO  - conn=1591031 op=0 
  msgid=1 SEARCH base="o=movie" scope=2 filter="(objectClass=*)"
[07/17/2005:17:29:45 +0200] - SERVER_OP  - INFO  - conn=1591031 op=0 
  SEARCH base="o=movie" scope=2 filter="(objectClass=*)" 
  s_msgid=318022 s_authzid="" s_conn=39
[07/17/2005:17:29:45 +0200] - SERVER_OP  - INFO  - conn=1591031 op=0 
  SEARCH base="o=movie" scope=2 filter="(objectClass=*)" s_msgid=316902 
  s_authzid="" s_conn=76
[07/17/2005:17:29:45 +0200] - SERVER_OP  - INFO  - conn=1591031 op=0 
  SEARCH RESPONSE err=0 msg="" nentries=4 s_conn=76
[07/17/2005:17:29:45 +0200] - SERVER_OP  - DEBUG - Global status code = 0
[07/17/2005:17:29:45 +0200] - SERVER_OP  - INFO  - conn=1591031 op=0 
  SEARCH RESPONSE err=0 msg="" nentries=11 s_conn=39
[07/17/2005:17:29:45 +0200] - SERVER_OP  - DEBUG - Global status code = 0
[07/17/2005:17:29:45 +0200] - OPERATION  - INFO  - conn=1591031 op=0 
  SEARCH RESPONSE err=0 msg="" nentries=22
[07/17/2005:17:29:45 +0200] - OPERATION  - INFO  - conn=1591031 op=1 
  UNBIND
[07/17/2005:17:29:45 +0200] - DISCONNECT - INFO  - conn=1591031 
  reason=unbind"

Message Parts in an Access Log

Messages for the connections between a client and the Directory Proxy Server are labeled in the same way as in Directory Server. Table 23–4 describes parts of the messages between the client and the Directory Proxy Server in Example 23–2. For an explanation of all of the possible message parts, see Content of Access, Error, and Audit Logs.

Table 23–3 Message Parts for Connections Between a Client and a Directory Proxy Server


Log Message Part	Description
`conn`	Identifier for the connection between the client and the Directory Proxy Server.
`op`	The number of an operation on a given connection. The first operation on a connection has the value `op=0`. Subsequent requests on the connection have increasing numbers, `op=1`, `op=2`, etc.
`msgid`	The number of a message to be sent to a client application. The LDAP protocol is mainly asynchronous. If a client request requires a response from a server, the response is given in the following steps: The directory server acknowledges the request and assigns a `msgid` The directory server responds to the request by using the `msgid` identifier A response can be sent in multiple packets, where each packet is identified by the same `msgid`.
`nentries`	The number of entries returned by a search request.
`err`	The result code returned from the LDAP operation. The error number `0` means that the operation was successful. For a list of LDAP result codes, see Result Codes in Log Files.
`msg`	A human readable error diagnostic.

Messages for the connections between Directory Proxy Server and a data source are prefixed with s_. Table 23–4 describes parts of the messages between the Directory Proxy Server and the data source in Example 23–2.

Table 23–4 Message Parts for Connections Between a Directory Proxy Server and a Data Source


Log Message Part	Description
`s_msgid`	Identifier for the message between the Directory Proxy Server and a data source.
`s_authzid`	Authorization identity for an operation to be processed under when the Directory Proxy Server forwards the request to a data source by using proxy authorization.
`s_conn`	Identifier for the connection between the Directory Proxy Server and the data source.

Access Log Buffer

Access log messages are stored in a buffer. The buffer is flushed to the access log at the following times:

When the buffer is full
When the access log is rotated
When Directory Proxy Server is stopped

If a buffer is flushed because it is full, the last message in the access log file might not be complete. The remainder of the message is then delivered in the next flush. By default, the size of the buffer is 10 KBytes. However, the size of the buffer can be configured to control the frequency with which it is flushed. For performance reasons, the buffer size should not be reduced to less than 5 KBytes.

You can configure the size of the access log buffer by setting the log-buffer-size property. For information about how to configure access log properties, see Configuring Directory Proxy Server Logs in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.