20.3. Configuring Log Files

For all types of log files, the log creation and log deletion policies have to be configured. The log creation policy sets when a new log file is started, and the log deletion policy sets when an old log file is deleted.

20.3.1. Enabling or Disabling Logs

The access and error logging is enabled by default. However, audit and audit fail logging is disabled by default.

Note

Disabling the access logging can be useful in some scenarios, because every 2000 accesses to the directory increases the log file by approximately 1 megabyte. However, before turning off access logging, consider that this information can help troubleshooting problems.

Enabling or Disabling Logging in the Directory Server Console

  1. Log in to the Directory Server Console.
  2. Select the Configuration tab.
  3. In the navigation tree, expand the Logs folder, and select the folder for the log to enable or disable.
  4. To enable or disable logging, select the Enable Logging check box.
  5. If the log is being enabled, enter the full path and file name for the Directory Server to use for logging in the field provided. The default path is /var/log/dirsrv/slapd-instance/log_type, such as /var/log/dirsrv/slapd-instance/access.
  6. Click Save.

Enabling or Disabling Logging Using the Command Line

You can use the ldapmodify utility to modify the parameters in the cn=config subtree that control the Directory Server logging feature:
  • Access log: nsslapd-accesslog-logging-enabled
  • Error log: nsslapd-errorlog-logging-enabled
  • Audit log: nsslapd-auditlog-logging-enabled
  • Audit fail log: nsslapd-auditfaillog-logging-enabled
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to enable audit logging, enter: 
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on

20.3.2. Configuring Plug-in-specific Logging

For debugging, you can enable access and audit logging for operations a plug-ins executes. For details, see the nsslapd-logAccess and nsslapd-logAudit parameter in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

20.3.3. Disabling High-resolution Log Time Stamps

Using the default settings, Directory Server logs entries with nanosecond precision: 
[27/May/2016:17:52:04.754335904 -0500] schemareload - Schema validation passed.
[27/May/2016:17:52:04.894255328 -0500] schemareload - Schema reload task finished.
To disable high-resolution log time stamps: 
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: off

Note

The option to disable high-resolution log time stamps is deprecated and will be removed in a future release.
After disabling high-resolution log time stamps, Directory Server logs with second precision only: 
[27/May/2016:17:52:04 -0500] schemareload - Schema validation passed.
[27/May/2016:17:52:04 -0500] schemareload - Schema reload task finished.

20.3.4. Defining a Log File Rotation Policy

To periodically archive the current log file and create a new one, set a log file rotation policy. You can update the settings in the cn=config subtree using the Directory Server Console or command line.
You can set the following configuration parameters to control the log file rotation policy:
Access mode
The access mode sets the file permissions on newly created log files.
  • Access log: nsslapd-accesslog-mode
  • Error log: nsslapd-errorlog-mode
  • Audit log: nsslapd-auditlog-mode
  • Audit fail log: nsslapd-auditfaillog-mode
Maximum number of logs
Sets the maximum number of log files to keep. When the number of files is reached, Directory Server deletes the oldest log file before creating the new one.
  • Access log: nsslapd-accesslog-maxlogsperdir
  • Error log: nsslapd-errorlog-maxlogsperdir
  • Audit log: nsslapd-auditlog-maxlogsperdir
  • Audit fail log: nsslapd-auditfaillog-maxlogsperdir
File size for each log
Sets the maximum size of a log file in megabytes before it is rotated.
  • Access log: nsslapd-accesslog-maxlogsize
  • Error log: nsslapd-errorlog-maxlogsize
  • Audit log: nsslapd-auditlog-maxlogsize
  • Audit fail log: nsslapd-auditfaillog-maxlogsize
Create a log every
Sets the maximum age of a log file.
  • nsslapd-accesslog-logrotationtime and nsslapd-accesslog-logrotationtimeunit
  • nsslapd-errorlog-logrotationtime and nsslapd-errorlog-logrotationtimeunit
  • nsslapd-auditlog-logrotationtime and nsslapd-auditlog-logrotationtimeunit
  • nsslapd-auditfaillog-logrotationtime and nsslapd-auditfaillog-logrotationtimeunit
Additionally, you can set the time when the log file is rotated using the following parameters:
  • nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin
  • nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin
  • nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin
  • nsslapd-auditfaillog-logrotationsynchour and nsslapd-auditfaillog-logrotationsyncmin
For details, see the parameter descriptions in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Each log file starts with a title, which identifies the server version, host name, and port, for ease of archiving or exchanging log files. For example: 
389-Directory/1.3.5.10 B2016.257.1817
server.example.com:389 (/etc/dirsrv/slapd-instance)

Configuring Log File Rotation in the Directory Server Console

  1. Log in to the Directory Server Console.
  2. Select the Configuration tab.
  3. In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
  4. Set the logging settings in the Creation policy area. For example:
  5. Click Save.

Configuring Log File Rotation Using the Command Line

You can use the ldapmodify utility to modify the parameters controlling the Directory Server logging features. For example for the error log, to set access mode 600, to keep maximum 2, and to rotate log files at a size of 100 MB or every 5 days, run: 
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-mode
nsslapd-errorlog-mode: 600
-
replace: nsslapd-errorlog-maxlogsperdir
nsslapd-errorlog-maxlogsperdir: 2
-
replace: nsslapd-errorlog-maxlogsize
nsslapd-errorlog-maxlogsize: 100
-
replace: nsslapd-errorlog-logrotationtime
nsslapd-errorlog-logrotationtime: 5
-
replace: nsslapd-errorlog-logrotationtimeunit
nsslapd-errorlog-logrotationtimeunit: day

20.3.5. Defining a Log File Deletion Policy

Directory Server automatically deletes old archived log files, if you set a Deletion Policy.

Note

You can only set a log file deletion policy if you have a log file rotation policy set. Directory Server applies the deletion policy at the time of log rotation.
You can set the following configuration parameters to control the log file deletion policy:
Total log size
If the size of all access, error, audit or audit fail log files increases the configured value, the oldest log file is automatically deleted.
  • Access log: nsslapd-accesslog-logmaxdiskspace
  • Error log: nsslapd-errorlog-logmaxdiskspace
  • Audit log: nsslapd-auditlog-logmaxdiskspace
  • Audit log: nsslapd-auditfaillog-logmaxdiskspace
Free disk space is less than
When the free disk space reaches this value, the oldest archived log file is automatically deleted.
  • Access log: nsslapd-accesslog-logminfreediskspace
  • Error log: nsslapd-errorlog-logminfreediskspace
  • Audit log: nsslapd-auditlog-logminfreediskspace
  • Audit log: nsslapd-auditfaillog-logminfreediskspace
When a file is older than a specified time
When a log file is older than the configured time, it is automatically deleted.
  • Access log: nsslapd-accesslog-logexpirationtime and nsslapd-accesslog-logexpirationtimeunit
  • Error log: nsslapd-errorlog-logminfreediskspace and nsslapd-errorlog-logexpirationtimeunit
  • Audit log: nsslapd-auditlog-logminfreediskspace and nsslapd-auditlog-logexpirationtimeunit
  • Audit log: nsslapd-auditfaillog-logminfreediskspace and nsslapd-auditfaillog-logexpirationtimeunit
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

Configuring a Log Deletion Policy in the Directory Server Console

  1. Log in to the Directory Server Console.
  2. Select the Configuration tab.
  3. In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
  4. Set the logging settings in the Deletion Policy area. For example:
  5. Click Save.

Configuring Log Deletion Policy Using the Command Line

You can use the ldapmodify utility modify the parameters controlling the Directory Server logging features. For example, to auto-delete the oldest access log file if the total size of all access log files increases 500 MB, run: 
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-logmaxdiskspace
nsslapd-accesslog-logmaxdiskspace: 500

20.3.6. Manual Log File Rotation

The Directory Server supports automatic log file rotation for all three logs. However, it is possible to rotate log files manually if there are no automatic log file creation or deletion policies configured. By default, access, error, audit and audit fail log files can be found in the following location: 
/var/log/dirsrv/slapd-instance
To rotate log files manually:
  1. Shut down the server. 
    # systemctl stop dirsrv.target instance
  2. Move or rename the log file being rotated so that the old log file is available for future reference.
  3. Restart the server. 
    # systemctl restart dirsrv.target instance

20.3.7. Configuring Log Levels

Both the access and the error log can record different amounts of information, depending on the log level that is set.
You can set the following configuration parameters to control the log levels for the:
  • Access log: nsslapd-accesslog-level
  • Error log: nsslapd-errorlog-level
For further details and a list of the supported log levels, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

Note

Changing the log level from the default can cause the log file to grow very rapidly. Red Hat recommends not to change the default values without being asked to do so by the Red Hat technical support.

Configuring the Log Level in the Directory Server Console

  1. Log in to the Directory Server Console.
  2. Select the Configuration tab.
  3. In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
  4. Set the log level in the Log Level area. For example, for the error log file
  5. Click Save.

Configuring the Log Level Using the Command Line

You can use the ldapmodify utility to set the log level. For example, to enable search filter logging (32) and config file processing (64), set the nsslapd-errorlog-level parameter to 96 (32 + 64): 
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 96