Chapter 17. Configuring Logs
17.1. Certificate System Log Settings
17.1.1. Services That Are Logged
Table 17.1. Services Logged
|ACLs||Logs events related to access control lists.|
|Administration||Logs events related to administration activities, such as HTTPS communication between the Console and the instance.|
|All||Logs events related to all the services.|
|Authentication||Logs events related to activity with the authentication module.|
|Certificate Authority||Logs events related to the Certificate Manager.|
|Database||Logs events related to activity with the internal database.|
Logs events related to the HTTP activity of the server. Note that HTTP events are actually logged to the errors log belonging to the Apache server incorporated with the Certificate System to provide HTTP services.
|Key Recovery Authority||Logs events related to the KRA.|
|LDAP||Logs events related to activity with the LDAP directory, which is used for publishing certificates and CRLs.|
|OCSP||Logs events related to OCSP, such as OCSP status GET requests.|
|Others||Logs events related to other activities, such as command-line utilities and other processes.|
|Request Queue||Logs events related to the request queue activity.|
|User and Group||Logs events related to users and groups of the instance.|
17.1.2. Log Levels (Message Categories)
10, each number indicating the level of logging to be performed by the server. The level sets how detailed the logging should be.
1and this value should not be changed. To enable debug logging, see Section 17.3.3, “Additional Configuration for Debug Log”.
Table 17.2. Log Levels and Corresponding Log Messages
|Log level||Message category||Description|
|0||Debugging||These messages contain debugging information. This level is not recommended for regular use because it generates too much information.|
|1||Informational (default selection for audit log)||These messages provide general information about the state of the Certificate System, including status messages such as Certificate System initialization complete and Request for operation succeeded.|
|2||Warning||These messages are warnings only and do not indicate any failure in the normal operation of the server.|
|3||Failure; the default selection for system and error logs||These messages indicate errors and failures that prevent the server from operating normally, including failures to perform a certificate service operation (User authentication failed or Certificate revoked) and unexpected situations that can cause irrevocable errors (The server cannot send back the request it processed for a client through the same channel the request came from the client).|
|4||Misconfiguration||These messages indicate that a misconfiguration in the server is causing an error.|
|5||Catastrophic failure||These messages indicate that, because of an error, the service cannot continue running.|
|6||Security-related events|| These messages identify occurrences that affect the security of the server. For example, |
|7||PDU-related events (debugging)||These messages contain debugging information for PDU events. This level is not recommended for regular use because it generates more information than is normally useful.|
|8||PDU-related events||These messages relate transactions and rules processed on a PDU, such as creating MAC tokens.|
|9||PDU-related events||This log levels provides verbose log messages for events processed on a PDU, such as creating MAC tokens.|
|10||All logging levels||This log level enables all logging levels.|
17.1.3. Buffered and Unbuffered Logging
- The buffer gets full. The buffer is full when the buffer size is equal to or greater than the value specified by the
bufferSizeconfiguration parameter. The default value for this parameter is 512 KB.
- The flush interval for the buffer is reached. The flush interval is reached when the time interval since the last buffer flush is equal to or greater than the value specified by the
flushIntervalconfiguration parameter. The default value for this parameter is 5 seconds.
- When current logs are read from Console. The server retrieves the latest log when it is queried for current logs.
17.1.4. Log File Rotation
- The size limit for the corresponding file is reached. The size of the corresponding log file is equal to or greater than the value specified by the
maxFileSizeconfiguration parameter. The default value for this parameter is 100 KB.
- The age limit for the corresponding file is reached. The corresponding log file is equal to or older than the interval specified by the
rolloverIntervalconfiguration parameter. The default value for this parameter is 2592000 seconds (every thirty days).
logdirectory to an archive medium.
signtool, that signs log files before archiving them as a means of tamper detection.