Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Managing Logs
Previous Next Contents Index Bookshelf


Chapter 26 Managing Logs

Each instance of Netscape Certificate Management System (CMS) maintains its own system, error, and audit log files. These files record events related to various CMS activities. By configuring logs, you can customize the contents in the log files.

This chapter explains how to use the CMS window to configure the system, error, and audit logs maintained by Certificate Management System, and how to monitor its activities by viewing log contents.

Before you attempt to configure or monitor logs, it's a good idea to read "Introduction to Logs".

The chapter has the following sections:


Management of Logs
You can manage CMS logs in two ways:

The recommended method is to use the CMS window. However, for configuration parameters that are not shown in the CMS window, you may have to edit the configuration file.

Log Management From the CMS Window

The CMS window supports the configuration and monitoring of various CMS logs. In this window, you will find the Logs object in two places--in the navigation tree of the Configuration tab and in the navigation tree of the Status tab (see Figure 26.1).

Figure 26.1 Managing logs from the CMS window

The Logs object in the Configuration tab shows the current configuration of system, error, and audit logs and allows you to change it. For instructions on changing log configurations, see "Configuring Logs".

The Logs object in the Status tab shows messages logged by the server. For instructions on viewing logs, see "Monitoring Logs".

Log Parameters in the Configuration File

The sample configuration file on page 102 illustrates how information specific to logs appears in the configuration file, CMS.cfg. If you intend to change the configuration by editing the configuration file, be sure to follow the instructions provided in "Changing the Configuration by Editing the Configuration File".


Configuring Logs
This section describes the procedures for configuring each type of CMS log:

Configuring System Logs

To configure the system log for a CMS instance:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. In the navigation tree, select Logs.
  3. The System tab appears in the right pane. It shows the current configuration for the system log.

  4. Check the "Enable logging" box if you want the server to log system-level messages to the appropriate CMS log file (see "Log File Locations"). All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
  5. In the "Log options" section, specify information as appropriate:
  6. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active system log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default rotation interval is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the system log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the system log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. The default selection is Failure. For more information, see "Log Levels (Message Categories)".

  7. This step is applicable to Windows NT system only.
  8. On a Windows NT system, check the "NT Event logging" box if you want the server to log system-level messages to the Event Log maintained by the system. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type to the Event Log.

    Event source. Specifies the CMS instance ID for which the system messages are to be logged. For example, the instance ID could be
    cert-test CA.

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. The default selection is Warning. For more information, see "Log Levels (Message Categories)".

  9. To save your changes, click Save.
  10. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Configuring Error Logs

To configure the error log for a CMS instance:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. In the navigation tree, select Logs, and then in the right pane, select the Error tab.

  3. If you want the server to log error messages, check the "Enable logging" box. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
  4. In the "Log options" section, specify information as appropriate:
  5. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active error log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the error log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the error log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. The default selection is Failure. For more information, see "Log Levels (Message Categories)".

  6. To save your changes, click Save.
  7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Configuring Audit Logs

To configure the audit log for a CMS instance:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. In the navigation tree, click Logs, and then in the right pane, select the Audit tab.

  3. If you want the server to log system-level messages, check the "Enable logging" box. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
  4. In the "Log options" section, specify information as appropriate:
  5. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active audit log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the audit log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the audit log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. The default selection is Info. For more information, see "Log Levels (Message Categories)".

  6. This step is applicable to Windows NT system only.
  7. On a Windows NT system, check the "NT Event logging" box if you want the server to log audit messages to the Event Log maintained by the system. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type to the Event Log.

    Event source. Specifies the CMS instance ID for which the audit messages are to be logged. For example, the instance ID could be cert-test CA.

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. The default selection is Info. For more information, see "Log Levels (Message Categories)".

  8. To save your changes, click Save.
  9. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Monitoring Logs
When you have problems with Certificate Management System that require troubleshooting, you may find it helpful to check the error or informational messages that the server has logged. Also, by examining the log files you can monitor many aspects of the server's operation.

To facilitate this, the CMS window provides a simple mechanism for viewing the contents of both currently active and rotated audit, system, and error log files. The contents of the log file you choose to view are displayed in the form of a table. Each row is allocated to a specific log entry, with columns containing information such as the date and time the message was logged, the severity of the message, and a general description of the log. Once you open a log file for viewing, you can also do the following tasks:

This section covers the following topics on monitoring Certificate Management System by viewing log contents:

Monitoring System Logs

Certificate Management System maintains extensive system logs. These logs record various events and system errors for system monitoring and debugging. A system log records details such as the following:

You can view the contents of currently active as well as rotated system log files from the CMS window (see Figure 26.2).

If you have installed Certificate Management System on a Windows NT system, you can configure the server to log messages to Windows NT event log. For details, see "Logging to Windows NT Event Log""Logging to Windows NT Event Log" on page 1071.

Figure 26.2 A sample active system log displayed in the CMS window

To view the contents of an active or rotated system log file:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Status tab.
  3. In the navigation tree, under Logs, select System.
  4. In the Display Options section, specify your viewing preferences:
  5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) regardless of the number found.

    Source. Select the CMS component (or service) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the log level for filtering messages. For more information on log levels, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active system log file. For more information, see "Log File Naming Conventions".

  6. Click Refresh.
  7. The table displays the system log entries. The entries are in reverse chronological order, with the most current entry placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates the CMS component or resource that logged the message.

    Level. Indicates the severity of the corresponding entry (explained Table 25.3).

    Date. Indicates the date on which the entry was logged.

    Time. Indicates the time at which the entry was logged.

    Details. Provides a brief description of the log.

  8. To view an entry in its entirety, either double-click it or select the entry and click View.
Monitoring Error Logs

The error log file contains errors the server has encountered since the log file was created; it also contains informational messages about the server, such as when the server was started. Incorrect user authentication is also recorded in the error log. Use the error log to find broken URL paths or missing files.

You can view the contents of currently active as well as rotated error log files from the CMS window (see Figure 26.3).

Figure 26.3 A sample active error log displayed in the CMS window

To view the contents of an active or rotated error log file:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Status tab.
  3. In the navigation tree, under Logs, click Error.
  4. In the Display Options section, specify your viewing preferences:
  5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) to the client regardless of the number found.

    Source. Select the CMS component (or services) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the level of logging to filter messages. For more information, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active error log file. For more information, see "Log File Naming Conventions".

  6. Click Refresh.
  7. The table displays the error log entries. The entries are in reverse chronological order, with the most current log placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates CMS component or resource that logged the message.

    Level. Indicates the severity of the corresponding entry (explained in Table 25.3).

    Date. Indicates the date on which the entry was logged.

    Time. Indicates the time at which the entry was logged.

    Details. Provides a brief description of the log.

  8. To view an entry in its entirety, either double-click it or select the entry and click View.
Monitoring Audit Logs

Certificate Management System maintains audit trails for all events--certificate requests, certificate renewal and revocation requests, CRL publication, and so on. These trails enable you to detect any unauthorized access or activity. The audit trails are logged and maintained in a file in your local file system.

If you have installed Certificate Management System on a Windows NT system, you can also configure the server to log audit messages to Windows NT event log. For details, see "Logging to Windows NT Event Log".

Important You should periodically examine and audit the CMS audit log for unusual activity. When examining the log, note in particular the log entries that fall under the Security-Related Events category (these are labeled Security).

You can view the contents of currently active as well as rotated audit log files from the CMS window (see Figure 26.4).

Figure 26.4 A sample active audit log displayed in the CMS window

To view the contents of an active or rotated audit log file:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Status tab.
  3. In the navigation tree, under Logs, select Audit.
  4. In the Display Options section, specify your viewing preferences:
  5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) regardless of the number it finds.

    Source. Select the CMS component (or resource) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the level of logging to filter messages. For more information, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active audit log file. For more information, see "Log File Naming Conventions".

  6. Click Refresh.
  7. The table displays the audit log entries. The entries are in reverse chronological order, with the most current log placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates the CMS component or resource that wrote to the log file.

    Level. Indicates the severity of the corresponding entry (explained in Table 25.3).

    Date. Indicates the date on which this entry was logged.

    Time. Indicates the time at which this entry was logged.

    Details. Provides a brief description of the log.

  8. To view an entry in its entirety, either double-click it or select the entry and then click View.
Using System Tools for Monitoring the Server (Windows NT Only)

If you have installed Certificate Management System on a Windows NT system, you can monitor the server with the system tools provided by Windows NT. This section explains how you can use the system tools.

Logging to Windows NT Event Log

You can also configure Certificate Management System to write both audit and system logs to the event log of a Windows NT system. If you've installed Certificate Management System on a Windows NT system, the CMS window allows you to turn this feature on or off and to specify the levels for logging. For information on turning on or off to Windows NT Event Log, see "Configuring System Logs" and "Configuring Audit Logs".

Note that by default both the audit and system logs are enabled.

Using Event Viewer

In addition to logging messages to the log files maintained in your local file system, Certificate Management System can also log audit messages and system errors to the Windows NT Event log. To configure the server to log messages to Windows NT event log, see "Logging to Windows NT Event Log". If you configure the server to do so, you can use the system's tool called Event Viewer to monitor events related to your server.

More information about Event Viewer is available in your system documentation.

To monitor Certificate Management System by using Event Viewer:

  1. In the Administrative Tools program group, double-click the Event Viewer icon.
  2. From the Log menu, select Application.
  3. The Application log appears in Event Viewer. In this log, the source of any messages from Netscape Certificate Management System is the server's instance ID (if you didn't change the default values assigned to the logNTAudit.NTEventSourceName and logNTSystem.NTEventSourceName parameters).

  4. From the View menu, choose Find to search for one of the Netscape labels in the log; use Refresh to see updated log entries.
  5. Double-click a log entry to see additional information.
  6. The mapping between the CMS log levels and the Windows NT event type is shown in Table 26.1.

Table 26.1 Mapping between CMS log levels and Windows NT event log type

Windows NT log event type
CMS log level
Information
Debugging (0)
Information
Informational (1)
Warning
Warning (2)
Error
Failure (3)
Error
Misconfiguration (4)
Error
Catastrophic failure (5)
Error
Security-related events (6)

Avoiding Event Log From Getting Filled

When running Certificate Management System on a Windows NT system, if you don't configure the NT Event Log properly, the event log will get full. When this happens, you'll see an error message (see Figure 26.5) stating that the application log file is full.

Figure 26.5 Error message indicating event log is full

If you see this dialog box, you must clean up the application log immediately.

Here's what you should do:

  1. From the Start menu on your desktop, select Programs, Administrative Tools (Common), and Event Viewer, in that order.
  2. This opens the Event Viewer window for the system.

  3. From the Log menu, select Application.
  4. A checkmark to the left indicates it is selected.

  5. From the Log menu, select Log Settings.
  6. This opens the Event Log Settings window.

  7. Enter the appropriate values:
  8. Change Settings for. Make sure that the Application log is selected in this box.

    Maximum Log Size. Select a reasonable size so that the event log doesn't get full in a short period of time.

    Event Log Wrapping. Select the "Overwrite Events as Needed" option.

  9. Click OK.
  10. Close the Event Viewer window.

Signing Log Files
Certificate Management System allows you to digitally sign log files before you archive them or distribute them for audit purposes. This feature enables you to check whether the log files have been tampered with since being signed.

For signing log files, you use a command-line utility called Netscape Signing Tool; for details about this utility, see Appendix F, "Netscape Signing Tool"; to locate the online version of the document, see "Where to Go for Related Information". The utility uses information in the certificate (cert7.db), key (key3.db), and security module (secmod.db) databases of Certificate Management System.

Before you begin signing the log files, follow these guidelines:

When you are ready with all this information, follow the procedure below to sign the log directories:

  1. Go to the CMS instance in which the CA whose key pair you want to use for signing is installed.
  2. Copy the security module database (secmod.db file) from the Administration Server configuration directory to the CMS configuration directory.
  3. The security module database is in this directory:

    <server_root>/admin-serv/config

    Copy it to this directory:

    <server_root>/cert-<instance_id>/config

  4. Open a terminal window.
  5. At the command prompt, run the following command with the appropriate information:
  6. signtool -d <secdb_dir> -k <cert_nickname> -Z <output> <input>

    <secdb_dir> specifies the path to the directory that contains the certificate, key, and security module databases for the CA. This must be the same path you used to copy the security module database in step 2.

    <cert_nickname> specifies the nickname of the certificate you want the utility to use for signing.

    <output> specifies the name of the JAR file (a signed zip file).

    <input> specifies the path to the directory that contains the log files.

    For example, in a Windows NT system, your command might look like this:

    signtool -d c:\netscape\server4\cert-testCA\config -k testCAsigningcertificate -Z log_err_02_99.jar c:\archive\logs

    where c:\netscape\server4\cert-testCA\config is the path to the certificate, key, and security module databases (secdb_dir).

    testCAsigningcertificate is the certificate nickname (cert_nickname).

    log_err_02_99.jar is the name of the JAR file (output).

    (input) is c:\archive\logs is the directory to be signed.

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.