Access Logs for Directory Proxy Server

Access logs contain information about the requests being processed by Directory Proxy Server. Access logs contain information about two types of connections:

Connections between clients and Directory Proxy Server
Connections between Directory Proxy Server and data sources

Access log messages are categorized according to the cause of the message. The following table lists the categories of messages that can be included in the access log.

Table 23-2 Message Categories for Access Logs

Category Name	Category Description
`CONNECT`	Information about a client connection
`DISCONNECT`	Information about a client disconnection
`OPERATION`	Information about an operation requested by a client
`PROFILE`	Information about the profiles of a connection handler
`SERVER_OP`	Information about operations that are forwarded to data sources
`SERVER_OP_DETAIL`	Detailed information about operations that are forwarded to data sources

Access Log Levels

Each message category can be configured with one of the following log-levels:

none No access messages are included in the log file.
info Informational messages are included in the log file.
all All messages are included in the log file. In most cases, this setting produces the same results as the info setting. In certain situations, this setting enables additional debugging messages to be logged.
inherited The log level is inherited from the value of the default-log-level property.

By default, the log level for each message category is inherited but for SERVER_OP_DETAIL, the log level is none. As the default-log-level property is info, all the message categories except SERVER_OP_DETAIL inherits the log level info.

The log-level of a message category works in conjunction with the severity level of a message to determine which messages are included in the log file. For more information, see Message Severity.

Format of an Access Log Message

An access log message has this format:

timestamp - category - severity - connectionNumber operationNumber
  messageID operationType messageText

Example 23-2 shows an extract of an access log. The log shows a client request that starts with a message in the CONNECT category and ends with a message in the DISCONNECT category. The operation requested by the client is shown by the message in the OPERATION category, and results in several messages in the SERVER_OP category. The logged messages have the INFO and DEBUG severity.

Example 23-2 Extract of an Access Log

[07/Sep/2010:14:32:43 +0200] - PROFILE        - INFO - 
    conn=12 assigned to connection handler cn=default connection handler, 
    cn=connection handlers, cn=config
[07/Sep/2010:14:32:43 +0200] - CONNECT      - INFO - 
    conn=12 client=127.0.0.1:59723 server=localhost:14600 protocol=LDAP
[07/Sep/2010:14:32:43 +0200] - OPERATION   - INFO - 
    conn=12 op=0 msgid=1 BIND dn="uid=jvedder,ou=people,dc=example,dc=com" 
    method="SIMPLE" version=3 controls=""
[07/Sep/2010:14:32:43 +0200] - SERVER_OP   - INFO - 
    conn=12 op=0 BIND dn="uid=jvedder,ou=people,dc=example,dc=com" 
    method="SIMPLE" version=3 s_msgid=396 s_conn=dsource-1:2
[07/Sep/2010:14:32:43 +0200] - SERVER_OP   - INFO - 
    conn=12 op=0 BIND RESPONSE err=0 msg="" s_msgid=396 s_conn=dsource-1:2 etime=0
[07/Sep/2010:14:32:43 +0200] - OPERATION   - INFO - 
    conn=12 op=0 BIND RESPONSE err=0 msg="" etime=1
[07/Sep/2010:14:32:43 +0200] - OPERATION   - INFO - 
    conn=12 op=1 msgid=2 SEARCH base="uid=jvedder,ou=people,dc=example,dc=com" 
    scope=2 controls="" filter="(objectclass=*)" attrs="*"
[07/Sep/2010:14:32:43 +0200] - SERVER_OP   - INFO - 
    conn=12 op=1 SEARCH base="uid=jvedder,ou=people,dc=example,dc=com" 
    scope=2 filter="(objectclass=*)" attrs="*" s_msgid=397 s_conn=dsource-1:2
[07/Sep/2010:14:32:43 +0200] - SERVER_OP   - INFO - 
    conn=12 op=1 SEARCH RESPONSE err=0 msg="" nentries=1 
    s_msgid=397 s_conn=dsource-1:2 etime=1
[07/Sep/2010:14:32:43 +0200] - OPERATION   - INFO - conn=12 op=1 SEARCH RESPONSE 
    err=0 msg="" nentries=1 etime=1
[07/Sep/2010:14:32:43 +0200] - OPERATION   - INFO - conn=12 op=2 UNBIND
[07/Sep/2010:14:32:43 +0200] - DISCONNECT - INFO - conn=12 reason="unbind"

Message Parts in an Access Log

Messages for the connections between a client and the Directory Proxy Server are labeled in the same way as in Directory Server. Table 23-4 describes parts of the messages between the client and the Directory Proxy Server in Example 23-2. For an explanation of all of the possible message parts, see Content of Access, Error, and Audit Logs.

Table 23-3 Message Parts for Connections Between a Client and a Directory Proxy Server

Log Message Part	Description
`conn`	Identifier for the connection between the client and the Directory Proxy Server.
`op`	The number of an operation on a given connection. The first operation on a connection has the value `op=0`. Subsequent requests on the connection have increasing numbers, `op=1`, `op=2`, etc.
`msgid`	The number of a message to be sent to a client application. The LDAP protocol is mainly asynchronous. If a client request requires a response from a server, the response is given in the following steps: The directory server acknowledges the request and assigns a `msgid` The directory server responds to the request by using the `msgid` identifier A response can be sent in multiple packets, where each packet is identified by the same `msgid`.
`nentries`	The number of entries returned by a search request.
`err`	The result code returned from the LDAP operation. The error number `0` means that the operation was successful. For a list of LDAP result codes, see Result Codes in Log Files.
`msg`	A human readable error diagnostic.
`etime`	In SERVER_OP messages, it is the time it took for the corresponding operation to be completed by the Data Source as seen by the Directory Proxy Server. In OPERATION messages, it is the time it took for the corresponding operation to be completed by the Directory Proxy Server. In both cases, the time is expressed in seconds if the server `log-etimes-in-seconds` property is set to true, or in the units corresponding to the value of the server `time-resolution` property if `log-etimes-in-seconds` is set to `false`.

Messages for the connections between Directory Proxy Server and a data source are prefixed with s_. Table 23-4 describes parts of the messages between the Directory Proxy Server and the data source in Example 23-2.

Table 23-4 Message Parts for Connections Between a Directory Proxy Server and a Data Source

Log Message Part	Description
`s_msgid`	Identifier for the message between the Directory Proxy Server and a data source.
`s_authzid`	Authorization identity for an operation to be processed under when the Directory Proxy Server forwards the request to a data source by using proxy authorization.
`s_conn`	Identifier for the connection between the Directory Proxy Server and the data source.

Access Log Buffer

Access log messages are stored in a buffer. The buffer is flushed to the access log at the following times:

When the buffer is full
When the access log is rotated
When Directory Proxy Server is stopped
Every 2.5 seconds

By default, the size of the access log buffer is 1M. However, the size of the buffer can be configured to control the frequency with which it is flushed. Setting the buffer size to 0 will disable buffering (and make Directory Proxy Server slower).

The buffer is also flushed periodically, that is, every 2.5 seconds, if none of the other conditions is met.

You can configure the size of the access log buffer by setting the log-buffer-size property. For information about how to configure access log properties, see Configuring Directory Proxy Server Logs in Oracle Directory Server Enterprise Edition Administration Guide.

Skip Navigation Links
Exit Print View
	Oracle Directory Server Enterprise Edition Reference 11 g Release 1 (11.1.1.5.0)