14.4. Configuring RA Logging

RA logs are configured differently than other subsystem logs. All of the RA logs are viewed and configured manually in the CS.cfg file. This is because logging is configured through the administrative console for the other subsystems (CA, OCSP, DRM, and TKS), but the RA does not use a Java console.
The RA maintains three subsystem logs:
  • A debug log (ra-debug.log)
  • An error log (ra-error.log)
  • An audit log (ra-audit.log)
These logs are stored in the /var/lib/instance_name/logs directory by default. Other types of logs, such as transaction logs and system logs, are not generated by the RA instance.

14.4.1. About RA Log Settings

For each log generated by an RA instance, there are three parameters which must be configured in the CS.cfg file:
  • enable, which sets whether the log is generated.
  • filename, which sets the name and location of the log.
  • level, which sets the log level, the amount of information, and types of events logged. The log level is a number between 0 and 10. The log levels are described in Section 14.2.1.2, “Log Levels (Message Categories)”. 
logging.[audit|error|debug].enable=[true|false]
logging.[audit|error|debug]=/var/logs/[filename]
logging.[audit|error|debug].level=[level number]
Example 14.9, “RA Log Configuration” shows the basic log configuration for RA logs.

Example 14.9. RA Log Configuration

logging.audit.enable=true
logging.audit.filename=/var/lib/pki-ra/logs/ra-audit.log
logging.audit.level=10
logging.debug.enable=true
logging.debug.filename=/var/lib/pki-ra/logs/ra-debug.log
logging.debug.level=7
logging.error.enable=true
logging.error.filename=/var/lib/pki-ra/logs/ra-error.log
logging.error.level=10
The different logging parameters for RA logs are listed in Table 14.12, “RA Logging Parameters”.

NOTE

Certain log features that are available to the other subsystems' logs do not apply to RA logging:
  • Log rotation
  • Registering and deleting log modules
  • Buffered logging
  • Signed audit logs
Log level 0 is least verbose log level; 10 is most verbose.

Table 14.12. RA Logging Parameters

Parameter Description
logging.log_type.enable Enables logging for that specific log type. The valid values are true|false.
logging.log_type.filename The full path to the log file, including its name. For example, /tmp/tps-debug.log.
logging.log_type.level
The log levels. The levels range from 0 to 10.
  • 0 - No logging.
  • 4 - LL_PER_SERVER. Messages that happen only during startup or shutdown.
  • 6 - LL_PER_CONNECTION. Messages that happen per connection.
  • 8 - LL_PER_PDU. Messages that happen for every transaction.
  • 9 - LL_ALL_DATA_IN_PDU. Dumps all data in the PDU.
  • 10 - All logging.
failover.pod.enable Specifies whether to use a pod-type failover mechanism. The valid values are true|false. If there are two CA connections, two TKS connections, and two DRM connections configured from the TPS, when pod-type failover is enabled, if the TPS fails to connect to the first CA, for the next enrollment it will use the second pod, meaning it will connect to the second CA, DRM, and TKS host and port.

14.4.2. Configuring RA Logs

  1. Stop the RA instance. 
    service pki-ra stop
  2. Edit the logging configuration. The log file parameters are listed in Table 14.12, “RA Logging Parameters”. 
    logging.audit.enable=true
logging.audit.filename=/var/lib/pki-ra/logs/ra-audit.log
logging.audit.level=10
logging.debug.enable=true
logging.debug.filename=/var/lib/pki-ra/logs/ra-debug.log
logging.debug.level=7
logging.error.enable=true
logging.error.filename=/var/lib/pki-ra/logs/ra-error.log
logging.error.level=10
  3. Start the RA instance. 
    service pki-ra start