Show Table of Contents
20.3. Configuring Log Files
For all types of log files, the log creation and log deletion policies have to be configured. The log creation policy sets when a new log file is started, and the log deletion policy sets when an old log file is deleted.
20.3.1. Enabling or Disabling Logs
The access and error logging is enabled by default. However, audit and audit fail logging is disabled by default.
Note
Enabling or Disabling Logging in the Directory Server Console
- Log in to the Directory Server Console.
- Select the Configuration tab.
- In the navigation tree, expand the Logs folder, and select the folder for the log to enable or disable.
- To enable or disable logging, select the Enable Logging check box.
- If the log is being enabled, enter the full path and file name for the Directory Server to use for logging in the field provided. The default path is
/var/log/dirsrv/slapd-instance/
log_type, such as/var/log/dirsrv/slapd-instance/access
. - Click.
Enabling or Disabling Logging Using the Command Line
You can use the
ldapmodify
utility to modify the parameters in the cn=config
subtree that control the Directory Server logging feature:
- Access log:
nsslapd-accesslog-logging-enabled
- Error log:
nsslapd-errorlog-logging-enabled
- Audit log:
nsslapd-auditlog-logging-enabled
- Audit fail log:
nsslapd-auditfaillog-logging-enabled
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to enable audit logging, enter:
# ldapmodify -D "cn=Directory Manager" -W -x dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on
20.3.2. Configuring Plug-in-specific Logging
For debugging, you can enable access and audit logging for operations a plug-ins executes. For details, see the
nsslapd-logAccess
and nsslapd-logAudit
parameter in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
20.3.3. Disabling High-resolution Log Time Stamps
Using the default settings, Directory Server logs entries with nanosecond precision:
[27/May/2016:17:52:04.754335904 -0500] schemareload - Schema validation passed. [27/May/2016:17:52:04.894255328 -0500] schemareload - Schema reload task finished.
To disable high-resolution log time stamps:
# ldapmodify -D "cn=Directory Manager" -W -x
dn: cn=config
changetype: modify
replace: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: off
Note
The option to disable high-resolution log time stamps is deprecated and will be removed in a future release.
After disabling high-resolution log time stamps, Directory Server logs with second precision only:
[27/May/2016:17:52:04 -0500] schemareload - Schema validation passed. [27/May/2016:17:52:04 -0500] schemareload - Schema reload task finished.
20.3.4. Defining a Log File Rotation Policy
To periodically archive the current log file and create a new one, set a log file rotation policy. You can update the settings in the
cn=config
subtree using the Directory Server Console or command line.
You can set the following configuration parameters to control the log file rotation policy:
- Access mode
- The access mode sets the file permissions on newly created log files.
- Access log:
nsslapd-accesslog-mode
- Error log:
nsslapd-errorlog-mode
- Audit log:
nsslapd-auditlog-mode
- Audit fail log:
nsslapd-auditfaillog-mode
- Maximum number of logs
- Sets the maximum number of log files to keep. When the number of files is reached, Directory Server deletes the oldest log file before creating the new one.
- Access log:
nsslapd-accesslog-maxlogsperdir
- Error log:
nsslapd-errorlog-maxlogsperdir
- Audit log:
nsslapd-auditlog-maxlogsperdir
- Audit fail log:
nsslapd-auditfaillog-maxlogsperdir
- File size for each log
- Sets the maximum size of a log file in megabytes before it is rotated.
- Access log:
nsslapd-accesslog-maxlogsize
- Error log:
nsslapd-errorlog-maxlogsize
- Audit log:
nsslapd-auditlog-maxlogsize
- Audit fail log:
nsslapd-auditfaillog-maxlogsize
- Create a log every
- Sets the maximum age of a log file.
nsslapd-accesslog-logrotationtime
andnsslapd-accesslog-logrotationtimeunit
nsslapd-errorlog-logrotationtime
andnsslapd-errorlog-logrotationtimeunit
nsslapd-auditlog-logrotationtime
andnsslapd-auditlog-logrotationtimeunit
nsslapd-auditfaillog-logrotationtime
andnsslapd-auditfaillog-logrotationtimeunit
Additionally, you can set the time when the log file is rotated using the following parameters:nsslapd-accesslog-logrotationsynchour
andnsslapd-accesslog-logrotationsyncmin
nsslapd-errorlog-logrotationsynchour
andnsslapd-errorlog-logrotationsyncmin
nsslapd-auditlog-logrotationsynchour
andnsslapd-auditlog-logrotationsyncmin
nsslapd-auditfaillog-logrotationsynchour
andnsslapd-auditfaillog-logrotationsyncmin
For details, see the parameter descriptions in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Each log file starts with a title, which identifies the server version, host name, and port, for ease of archiving or exchanging log files. For example:
389-Directory/1.3.5.10 B2016.257.1817 server.example.com:389 (/etc/dirsrv/slapd-instance)
Configuring Log File Rotation in the Directory Server Console
- Log in to the Directory Server Console.
- Select the Configuration tab.
- In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
- Set the logging settings in the Creation policy area. For example:
- Click.
Configuring Log File Rotation Using the Command Line
You can use the
ldapmodify
utility to modify the parameters controlling the Directory Server logging features. For example for the error log, to set access mode 600
, to keep maximum 2
, and to rotate log files at a size of 100
MB or every 5 days
, run:
# ldapmodify -D "cn=Directory Manager" -W -x dn: cn=config changetype: modify replace: nsslapd-errorlog-mode nsslapd-errorlog-mode: 600 - replace: nsslapd-errorlog-maxlogsperdir nsslapd-errorlog-maxlogsperdir: 2 - replace: nsslapd-errorlog-maxlogsize nsslapd-errorlog-maxlogsize: 100 - replace: nsslapd-errorlog-logrotationtime nsslapd-errorlog-logrotationtime: 5 - replace: nsslapd-errorlog-logrotationtimeunit nsslapd-errorlog-logrotationtimeunit: day
20.3.5. Defining a Log File Deletion Policy
Directory Server automatically deletes old archived log files, if you set a
Deletion Policy
.
Note
You can only set a log file deletion policy if you have a log file rotation policy set. Directory Server applies the deletion policy at the time of log rotation.
You can set the following configuration parameters to control the log file deletion policy:
- Total log size
- If the size of all access, error, audit or audit fail log files increases the configured value, the oldest log file is automatically deleted.
- Access log:
nsslapd-accesslog-logmaxdiskspace
- Error log:
nsslapd-errorlog-logmaxdiskspace
- Audit log:
nsslapd-auditlog-logmaxdiskspace
- Audit log:
nsslapd-auditfaillog-logmaxdiskspace
- Free disk space is less than
- When the free disk space reaches this value, the oldest archived log file is automatically deleted.
- Access log:
nsslapd-accesslog-logminfreediskspace
- Error log:
nsslapd-errorlog-logminfreediskspace
- Audit log:
nsslapd-auditlog-logminfreediskspace
- Audit log:
nsslapd-auditfaillog-logminfreediskspace
- When a file is older than a specified time
- When a log file is older than the configured time, it is automatically deleted.
- Access log:
nsslapd-accesslog-logexpirationtime
andnsslapd-accesslog-logexpirationtimeunit
- Error log:
nsslapd-errorlog-logminfreediskspace
andnsslapd-errorlog-logexpirationtimeunit
- Audit log:
nsslapd-auditlog-logminfreediskspace
andnsslapd-auditlog-logexpirationtimeunit
- Audit log:
nsslapd-auditfaillog-logminfreediskspace
andnsslapd-auditfaillog-logexpirationtimeunit
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Configuring a Log Deletion Policy in the Directory Server Console
- Log in to the Directory Server Console.
- Select the Configuration tab.
- In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
- Set the logging settings in the Deletion Policy area. For example:
- Click.
Configuring Log Deletion Policy Using the Command Line
You can use the
ldapmodify
utility modify the parameters controlling the Directory Server logging features. For example, to auto-delete the oldest access log file if the total size of all access log files increases 500
MB, run:
# ldapmodify -D "cn=Directory Manager" -W -x dn: cn=config changetype: modify replace: nsslapd-accesslog-logmaxdiskspace nsslapd-accesslog-logmaxdiskspace: 500
20.3.6. Manual Log File Rotation
The Directory Server supports automatic log file rotation for all three logs. However, it is possible to rotate log files manually if there are no automatic log file creation or deletion policies configured. By default, access, error, audit and audit fail log files can be found in the following location:
/var/log/dirsrv/slapd-instance
To rotate log files manually:
- Shut down the server.
# systemctl stop dirsrv.target instance
- Move or rename the log file being rotated so that the old log file is available for future reference.
- Restart the server.
# systemctl restart dirsrv.target instance
20.3.7. Configuring Log Levels
Both the access and the error log can record different amounts of information, depending on the log level that is set.
You can set the following configuration parameters to control the log levels for the:
- Access log:
nsslapd-accesslog-level
- Error log:
nsslapd-errorlog-level
For further details and a list of the supported log levels, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Note
Changing the log level from the default can cause the log file to grow very rapidly. Red Hat recommends not to change the default values without being asked to do so by the Red Hat technical support.
Configuring the Log Level in the Directory Server Console
- Log in to the Directory Server Console.
- Select the Configuration tab.
- In the navigation tree, expand the Logs folder, and select the folder for the log you want to update the settings.
- Set the log level in the Log Level area. For example, for the error log file
- Click.
Configuring the Log Level Using the Command Line
You can use the
ldapmodify
utility to set the log level. For example, to enable search filter logging (32
) and config file processing (64
), set the nsslapd-errorlog-level
parameter to 96
(32 + 64):
# ldapmodify -D "cn=Directory Manager" -W -x dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 96