Show Table of Contents
2.6. Replacing Log Files with a Named Pipe
Many administrators want to do some special configuration or operation with logging data, like configuring an access log to record only certain events. This is not possible using the standard Directory Server log file configuration attributes, but it is possible by sending the log data to a named pipe, and then using another script or plug-in to process the data. Using a named pipe for the log simplifies these special tasks, like:
- Logging certain events, like failed bind attempts or connections from specific users or IP addresses
- Logging entries which match a specific regular expression pattern
- Keeping the log to a certain length (logging only the last number of lines)
- Sending a notification, such as an email, when an event occurs
The basic format of the script is is:
ds-logpipe.py
named_pipe
[
--user pipe_user
] [
--maxlines number
] [[
--serverpidfile file.pid
] | [
--serverpid PID
]] [
--servertimeout seconds
] [
--plugin=/path/to/plugin.py
| [
pluginfile.arg=value
]]
More detailed usage information is in the Configuration, Command, and File Reference.
However, while that has the advantage of being simple to implement and not requiring any Directory Server configuration changes, simply running the script has a big disadvantage: all of the log viewers in the Directory Server Console and any script or tool (such as
logconv.pl) that expect to access a real file will fail.
If the Directory Server instance will permanently use the named pipe rather than a real file for logging, then it is possible to reconfigure the instance to create the named pipe and use it for logging (as it does by default for the log files). When the Directory Server instance is configured to use the named pipe then all of the log analysis tools — the Directory Server Console and any Directory Server scripts — work fine.
Three things need to be configured for the log configuration for the instance:
- The log file to use has to be changed to the pipe (
nsslapd-*log) - Buffering should be disabled because the script already buffers the log entries (
nsslapd-*log-logbuffering) - Log rotation should be disabled so that the server does not attempt to rotate the named pipe (
nsslapd-*log-maxlogsperdir,nsslapd-*log-logexpirationtime, andnsslapd-*log-logrotationtime)
These configuration changes can be made in the Directory Server Console or using
ldapmodify.
For example, this switches the access log to
access.pipe:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-accesslog nsslapd-accesslog: /var/log/dirsrv/slapd-instance/access.pipe - replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: off - replace: nsslapd-accesslog-maxlogsperdir nsslapd-accesslog-maxlogsperdir: 1 - replace: nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtime: -1 - replace: nsslapd-accesslog-logrotationtime nsslapd-accesslog-logexpirationtime: -1
Note
Making these changes using the
-f option will cause the server to close the current log file and switch to the named pipe immediately. This can be very helpful for debugging a running server and sifting the log output for specific messages.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.