Understanding the Logs

You can view various types of information from the Status tab of the Identity Synchronization for Windows Console.

If you select one of the following nodes in the navigation tree pane (on the left), the content presented on the Status tab changes to provide specific information about that item.

• Directory Source: Select a directory source node (such as dc=example,dc=com) to view status information about that directory source.

• To Do: Select this node for a list of the steps you must complete to successfully install and configure Identity Synchronization for Windows (the program greys-out all completed steps).

• Audit File: Select this node for information about day-to-day system operations (including error conditions).

• Error File: Select this node for information about error conditions on your system. (The Error log essentially acts as a filter in which only the error entries are displayed.)

  

Log Types

This section describes the different kinds of logs that are available for Identity Synchronization for Windows:

• Central Logs

• Local Component Logs

• Local Windows NT Subcomponent Logs

• Directory Server Plug-in Logs

Central Logs

As long as Identity Synchronization for Windows components can access Message Queue, all audit and error messages will be logged in the Identity Synchronization for Windows central logger. Consequently, these central logs (which include messages from all components) are the primary logs to monitor.

The centralized logs are located on the machine where Core is installed, in the following directories:

• On Solaris: /var/opt/SUNWisw/logs

• On Linux: /var/opt/sun/isw/logs

• On Windows: installation_root/isw-machine_name /logs/central/

Table 9-1 Log Types for Identity Synchronization for Windows

Each central log also includes information about each component ID. For example,

[2003/03/14 14:48:23.296 -0600] INFO 13 
"System Component Information:
SysMgr_100 is the system manager (CORE);
console is the Product Console User Interface;
CNN100 is the connector that manages 
[example.com (ldaps:// server1.example.com:636)];
CNN101 is the connector that manages
[dc=example,dc=com (ldap:// server2.example.com:389)];"

In addition to the central logger, each component has it’s own local logs. You can use these local logs to diagnose problems with the connector if it cannot log to the central logger.

Local Component Logs

Each connector, the system manager, and the central logger have the following local logs:

Table 9-2 Local Logs

These local logs are located in the following subdirectories:

• On Solaris: /var/opt/SUNWisw/logs

• On Linux: /var/opt/sun/isw/logs

• On Windows: installation_root/isw-machine_name /logs/central/

  The sysmgr and clogger100 (central logger) directories are on the machine where Core is installed.

  Identity Synchronization for Windows rotates these local component logs daily by moving the current log to a log file that includes the date, as follows:

  audit_2004_08_06.log

Local Windows NT Subcomponent Logs

The following Windows NT subcomponents also have local logs:

• Windows NT Change Detector DLL

• Password Filter DLL

  These subcomponent logs are located in the SUBC1XX (for example, SUBC100) subdirectories of the following directory:

  installation_root/isw-machine_name/logs/

  Identity Synchronization for Windows limits these files to 1 MB in size, and keeps only the last 10 logs.

Directory Server Plug-in Logs

The Directory Server Plug-in logs information through the Directory Server connector to the central log and through the Directory Server logging facility. Consequently, local Directory Server Plug-in log messages will also be saved in the Directory Server error log.

Directory Server saves information into the error log from other Directory Server Plug-ins and components. To identify messages from the Identity Synchronization for Windows Directory Server Plug-in, you can filter out lines containing the isw string.

By default, only minimal Plug-in log messages are displayed in the error log. For example:

[14/Jun/2004:17:08:36 -0500] - ERROR<38747> - isw - conn=-1 
op=-1 msgId=-1 - Plug-ins unable to establish connection to DS Connector 
at attila:1388, will retry later

To Change the Verbosity Level of the Error Logs

You can change the default verbosity level of the Directory Server error log through DSCC as follows:

1. Log in to Directory Service Control Center.
2. On the Directory Servers tab page, click the server whose log level you want to configure.
3. Select the Server Configuration tab, then the Error Logging tab.
4. In the General -> Additional Items to Log section, select Plug-Ins.
5. Click Save.

   You can enable plug-in logging using the command line.

   $ dsconf set-log-prop errors level:err-plugins

   For more information about Directory Server logging, refer to Chapter 14, Directory Server Logging, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

Reading the Logs

Every log message includes the following information:

• Time: Indicates when (time and date) the log entry was generated. For example:

  [13/Aug/2004:06:14:36:753 -0500]

• Level: Indicates the severity and verbosity of the log message. Identity Synchronization for Windows uses the following log levels:

Table 9-3 Log Levels

• Thread ID: Displays the Java thread ID of the function causing the event.

• ID: Identifies the component (console, system manager, and so forth.) causing the event.

• Host: Displays the name of the host causing the event.

• Message: Displays audit or error information associated with the event. Some examples include:

  “Resetting Central Logger configuration ...”
  “System manager is shutting down.”
  “Processing request (ID=ID_number
   from the console to stop synchronization.”