21.3. Configuring Log Files

For all types of log files, the log creation and log deletion policies have to be configured. The log creation policy sets when a new log file is started, and the log deletion policy sets when an old log file is deleted.

21.3.1. Enabling or Disabling Logs

The access and error logging is enabled by default. However, audit and audit fail logging is disabled by default.

Note

Disabling the access logging can be useful in certain scenarios, because every 2000 accesses to the directory increases the log file by approximately 1 megabyte. However, before turning off access logging, consider that this information can help troubleshooting problems.

21.3.1.1. Enabling or Disabling Logging Using the Command Line

Use the dsconf config replace command to modify the parameters in the cn=config subtree that control the Directory Server logging feature:
  • Access log: nsslapd-accesslog-logging-enabled
  • Error log: nsslapd-errorlog-logging-enabled
  • Audit log: nsslapd-auditlog-logging-enabled
  • Audit fail log: nsslapd-auditfaillog-logging-enabled
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to enable audit logging, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-auditlog-logging-enabled=on

21.3.1.2. Enabling or Disabling Logging Using the Web Console

To enable or disable logging in web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Server Settings menu, and select the log type you want to configure under the Logging entry.
  4. Enable or disable the logging feature for the selected log type.
  5. Optionally, set additional parameters to define, for example, a log rotation or log deletion policy.
  6. Click Save.

21.3.2. Configuring Plug-in-specific Logging

For debugging, you can enable access and audit logging for operations a plug-ins executes. For details, see the nsslapd-logAccess and nsslapd-logAudit parameter in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

21.3.3. Disabling High-resolution Log Time Stamps

Using the default settings, Directory Server logs entries with nanosecond precision:
[27/May/2016:17:52:04.754335904 -0500] schemareload - Schema validation passed.
[27/May/2016:17:52:04.894255328 -0500] schemareload - Schema reload task finished.
To disable high-resolution log time stamps:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-logging-hr-timestamps-enabled=off

Note

The option to disable high-resolution log time stamps is deprecated and will be removed in a future release.
After disabling high-resolution log time stamps, Directory Server logs with second precision only:
[27/May/2016:17:52:04 -0500] schemareload - Schema validation passed.
[27/May/2016:17:52:04 -0500] schemareload - Schema reload task finished.

21.3.4. Defining a Log File Rotation Policy

To periodically archive the current log file and create a new one, set a log file rotation policy. You can update the settings in the cn=config subtree using the command line or the web console.
You can set the following configuration parameters to control the log file rotation policy:
Access mode
The access mode sets the file permissions on newly created log files.
  • Access log: nsslapd-accesslog-mode
  • Error log: nsslapd-errorlog-mode
  • Audit log: nsslapd-auditlog-mode
  • Audit fail log: nsslapd-auditfaillog-mode
Maximum number of logs
Sets the maximum number of log files to keep. When the number of files is reached, Directory Server deletes the oldest log file before creating the new one.
  • Access log: nsslapd-accesslog-maxlogsperdir
  • Error log: nsslapd-errorlog-maxlogsperdir
  • Audit log: nsslapd-auditlog-maxlogsperdir
  • Audit fail log: nsslapd-auditfaillog-maxlogsperdir
File size for each log
Sets the maximum size of a log file in megabytes before it is rotated.
  • Access log: nsslapd-accesslog-maxlogsize
  • Error log: nsslapd-errorlog-maxlogsize
  • Audit log: nsslapd-auditlog-maxlogsize
  • Audit fail log: nsslapd-auditfaillog-maxlogsize
Create a log every
Sets the maximum age of a log file.
  • nsslapd-accesslog-logrotationtime and nsslapd-accesslog-logrotationtimeunit
  • nsslapd-errorlog-logrotationtime and nsslapd-errorlog-logrotationtimeunit
  • nsslapd-auditlog-logrotationtime and nsslapd-auditlog-logrotationtimeunit
  • nsslapd-auditfaillog-logrotationtime and nsslapd-auditfaillog-logrotationtimeunit
Additionally, you can set the time when the log file is rotated using the following parameters:
  • nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin
  • nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin
  • nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin
  • nsslapd-auditfaillog-logrotationsynchour and nsslapd-auditfaillog-logrotationsyncmin
For details, see the parameter descriptions in the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Each log file starts with a title, which identifies the server version, host name, and port, for ease of archiving or exchanging log files. For example:
389-Directory/1.4.0.11 B2018.197.1151
server.example.com:389 (/etc/dirsrv/slapd-instance)

21.3.4.1. Defining a Log File Rotation Policy Using the Command Line

Use the dsconf config replace command to modify parameters controlling the Directory Server logging features. For example for the error log, to set access mode 600, to keep maximum 2, and to rotate log files at a size of 100 MB or every 5 days, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-errorlog-mode=600 nsslapd-errorlog-maxlogsperdir=2 nsslapd-errorlog-maxlogsize=100 nsslapd-errorlog-logrotationtime=5 nsslapd-errorlog-logrotationtimeunit=day

21.3.4.2. Defining a Log File Rotation Policy Using the Web Console

21.3.5. Defining a Log File Deletion Policy

Directory Server automatically deletes old archived log files, if you set a Deletion Policy.

Note

You can only set a log file deletion policy if you have a log file rotation policy set. Directory Server applies the deletion policy at the time of log rotation.
You can set the following configuration parameters to control the log file deletion policy:
Total log size
If the size of all access, error, audit or audit fail log files increases the configured value, the oldest log file is automatically deleted.
  • Access log: nsslapd-accesslog-logmaxdiskspace
  • Error log: nsslapd-errorlog-logmaxdiskspace
  • Audit log: nsslapd-auditlog-logmaxdiskspace
  • Audit log: nsslapd-auditfaillog-logmaxdiskspace
Free disk space is less than
When the free disk space reaches this value, the oldest archived log file is automatically deleted.
  • Access log: nsslapd-accesslog-logminfreediskspace
  • Error log: nsslapd-errorlog-logminfreediskspace
  • Audit log: nsslapd-auditlog-logminfreediskspace
  • Audit log: nsslapd-auditfaillog-logminfreediskspace
When a file is older than a specified time
When a log file is older than the configured time, it is automatically deleted.
  • Access log: nsslapd-accesslog-logexpirationtime and nsslapd-accesslog-logexpirationtimeunit
  • Error log: nsslapd-errorlog-logminfreediskspace and nsslapd-errorlog-logexpirationtimeunit
  • Audit log: nsslapd-auditlog-logminfreediskspace and nsslapd-auditlog-logexpirationtimeunit
  • Audit log: nsslapd-auditfaillog-logminfreediskspace and nsslapd-auditfaillog-logexpirationtimeunit
For further details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

21.3.5.1. Configuring a Log Deletion Policy Using the Command Line

Use the dsconf config replace command to modify parameters controlling the Directory Server logging features. For example, to auto-delete the oldest access log file if the total size of all access log files increases 500 MB, run:
dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-accesslog-logmaxdiskspace=500

21.3.5.2. Configuring a Log Deletion Policy Using the Web Console

21.3.6. Manual Log File Rotation

The Directory Server supports automatic log file rotation for all three logs. However, it is possible to rotate log files manually if there are no automatic log file creation or deletion policies configured. By default, access, error, audit and audit fail log files can be found in the following location:
/var/log/dirsrv/slapd-instance
To rotate log files manually:
  1. Stop the instance.
    # dsctl instance_name stop
  2. Move or rename the log file being rotated so that the old log file is available for future reference.
  3. Start the instance:
    # dsctl instance_name restart

21.3.7. Configuring the Log Levels

Both the access and the error log can record different amounts of information, depending on the log level that is set.
You can set the following configuration parameters to control the log levels for the:
  • Access log: nsslapd-accesslog-level
  • Error log: nsslapd-errorlog-level
For further details and a list of the supported log levels, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

Note

Changing the log level from the default can cause the log file to grow very rapidly. Red Hat recommends not to change the default values without being asked to do so by the Red Hat technical support.

21.3.7.1. Configuring the Log Levels Using the Command Line

Use the dsconf config replace command to set the log level.
For example, to enable search filter logging (32) and config file processing (64), set the nsslapd-errorlog-level parameter to 96 (32 + 64):
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-errorlog-level=96
For example, to enable internal access operations logging (4) and logging of connections, operations, and results (256), set the nsslapd-accesslog-level parameter to 260 (4 + 256):
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-accesslog-level=260

21.3.7.2. Configuring the Log Levels Using the Web Console

To configure the access and error log level using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. To configure:
    • The access log level:
      1. Open the Server SettingsLoggingAccess Log menu.
      2. Select the log levels in the Access Logging Levels section. For example:
    • The error log level:
      1. Open the Server SettingsLoggingError Log menu.
      2. Select the log levels in the Error Logging Levels section. For example:
  4. Click Save.

21.3.7.3. Logging Internal Operations

Several operations cause additional internal operations in Directory Server. For example, if a user deletes an entry, the server runs several internal operations, such as locating the entry and updating groups in which the user was a member. This section explains the format of internal operations log entries. For details about setting the log level, see Section 21.3.7, “Configuring the Log Levels”.
Directory Server provides the following formats of internal operations logging:
Server-initiated Internal Operations
Example of an internal operation log entry that was initiated by the server:
[14/Jan/2021:09:45:25.814158882 -0400] conn=Internal(0) op=0(0)(0) MOD dn="cn=uniqueid generator,cn=config"
[14/Jan/2021:09:45:25.822103183 -0400] conn=Internal(0) op=0(0)(0) RESULT err=0 tag=48 nentries=0 etime=0.0007968796
For log entries of this type:
  • The conn field is set to Internal followed by (0) .
  • The op field is set to 0(0)(nesting_level). For server-initiated internal operations, both the operation ID and internal operation ID are always 0. For log entries that are not nested, the nesting level is 0.
Client-initiated Internal Operations
Example of an internal operation log entry that was initiated by a client:
[14/Jan/2021:09:45:14.382918693 -0400] conn=5 (Internal) op=15(1)(0) SRCH base="cn=config,cn=userroot,cn=ldbm database,cn=plugins,cn=config" scope=1 filter="objectclass=vlvsearch" attrs=ALL
[14/Jan/2021:09:45:14.383191380 -0400] conn=5 (Internal) op=15(1)(0) RESULT err=0 tag=48 nentries=0 etime=0.0000295419
[14/Jan/2021:09:45:14.383216269 -0400] conn=5 (Internal) op=15(2)(0) SRCH base="cn=config,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=1 filter="objectclass=vlvsearch" attrs=ALL
[14/Jan/2021:09:45:14.383449419 -0400] conn=5 (Internal) op=15(2)(0) RESULT err=0
For log entries of this type:
  • The conn field is set to the client connection ID, followed by the string (Internal).
  • The op field contains the operation ID, followed by (internal_operation_ID)(nesting_level). The internal operation ID can vary, and log entries that are not nested, the nesting level is 0.
If the nsslapd-plugin-logging parameter is set to on and internal operations logging is enabled, Directory Server additionally logs internal operations of plug-ins.

Example 21.1. Internal Operations Log Entries with Plug-in Logging Enabled

If you delete the uid=user,dc=example,dc=com entry, and the Referential Integrity plug-in automatically deletes this entry from the example group, the server logs:
[time_stamp] conn=2 op=37 DEL dn="uid=user,dc=example,dc=com"
[time_stamp] conn=2 (Internal) op=37(1) SRCH base="uid=user,dc=example,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[time_stamp] conn=2 (Internal) op=37(1) RESULT err=0 tag=48 nentries=1 etime=0.0000129148
[time_stamp] conn=2 (Internal) op=37(2) SRCH base="dc=example,dc=com" scope=2 filter="(member=uid=user,dc=example,dc=com)" attrs="member"
[time_stamp] conn=2 (Internal) op=37(2) RESULT err=0 tag=48 nentries=0 etime=0.0000123162
[time_stamp] conn=2 (Internal) op=37(3) SRCH base="dc=example,dc=com" scope=2 filter="(uniquemember=uid=user,dc=example,dc=com)" attrs="uniquemember"
[time_stamp] conn=2 (Internal) op=37(3) RESULT err=0 tag=48 nentries=1 etime=0.0000128104
[time_stamp] conn=2 (Internal) op=37(4) MOD dn="cn=example,dc=example,dc=com"
[time_stamp] conn=2 (Internal) op=37(5) SRCH base="cn=example,dc=example,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[time_stamp] conn=2 (Internal) op=37(5) RESULT err=0 tag=48 nentries=1 etime=0.0000130685
[time_stamp] conn=2 (Internal) op=37(4) RESULT err=0 tag=48 nentries=0 etime=0.0005217545
[time_stamp] conn=2 (Internal) op=37(6) SRCH base="dc=example,dc=com" scope=2 filter="(owner=uid=user,dc=example,dc=com)" attrs="owner"
[time_stamp] conn=2 (Internal) op=37(6) RESULT err=0 tag=48 nentries=0 etime=0.0000137656
[time_stamp] conn=2 (Internal) op=37(7) SRCH base="dc=example,dc=com" scope=2 filter="(seeAlso=uid=user,dc=example,dc=com)" attrs="seeAlso"
[time_stamp] conn=2 (Internal) op=37(7) RESULT err=0 tag=48 nentries=0 etime=0.0000066978
[time_stamp] conn=2 (Internal) op=37(8) SRCH base="o=example" scope=2 filter="(member=uid=user,dc=example,dc=com)" attrs="member"
[time_stamp] conn=2 (Internal) op=37(8) RESULT err=0 tag=48 nentries=0 etime=0.0000063316
[time_stamp] conn=2 (Internal) op=37(9) SRCH base="o=example" scope=2 filter="(uniquemember=uid=user,dc=example,dc=com)" attrs="uniquemember"
[time_stamp] conn=2 (Internal) op=37(9) RESULT err=0 tag=48 nentries=0 etime=0.0000048634
[time_stamp] conn=2 (Internal) op=37(10) SRCH base="o=example" scope=2 filter="(owner=uid=user,dc=example,dc=com)" attrs="owner"
[time_stamp] conn=2 (Internal) op=37(10) RESULT err=0 tag=48 nentries=0 etime=0.0000048854
[time_stamp] conn=2 (Internal) op=37(11) SRCH base="o=example" scope=2 filter="(seeAlso=uid=user,dc=example,dc=com)" attrs="seeAlso"
[time_stamp] conn=2 (Internal) op=37(11) RESULT err=0 tag=48 nentries=0 etime=0.0000046522
[time_stamp] conn=2 op=37 RESULT err=0 tag=107 nentries=0 etime=0.0010297858

21.3.8. Disabling Access Log Buffering for Debugging

For debugging purposes, you can disable access log buffering, which is enabled by default. With access log buffering disabled, Directory Server writes log entries directly to the disk.

Important

Do not disable access logging in a normal operating environment. When you disable the buffering, Directory Server performance decreases, especially under heavy load.

21.3.8.1. Disabling Access Log Buffering Using the Command Line

To disable access log buffering using the command line:
  • Set the nsslapd-accesslog-logbuffering parameter to off:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-accesslog-logbuffering=off

21.3.8.2. Disabling Access Log Buffering Using the Web Console

To disable access log buffering using the Web Console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open Server SettingsLoggingAccess Log.
  4. Select Disable Access Log Buffering.
  5. Click Save Configuration.