Menu Close

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 108. IdM log files and directories

Use the following sections to monitor, analyze, and troubleshoot the individual components of Identity Management (IdM):

Additionally, you can monitor, analyze, and troubleshoot the IdM server and client and enable audit logging on an IdM server.

108.1. IdM server and client log files and directories

The following table presents directories and files that the Identity Management (IdM) server and client use to log information. You can use the files and directories for troubleshooting installation errors.

Directory or FileDescription

/var/log/ipaserver-install.log

The installation log for the IdM server.

/var/log/ipareplica-install.log

The installation log for the IdM replica.

/var/log/ipaclient-install.log

The installation log for the IdM client.

/var/log/sssd/

Log files for SSSD. You can enable detailed logging for SSSD in the sssd.conf file or with the sssctl command.

~/.ipa/log/cli.log

The log file for errors returned by RPC calls and responses by the ipa utility. Created in the home directory for the effective user that runs the tools. This user might have a different user name than the IdM user principal, that is the IdM user whose ticket granting ticket (TGT) has been obtained before attempting to perform the failed ipa commands. For example, if you are logged in to the system as root and have obtained the TGT of IdM admin, then the errors are logged in to the /root/.ipa/log/cli.log file.

/etc/logrotate.d/

The log rotation policies for DNS, SSSD, Apache, Tomcat, and Kerberos.

/etc/pki/pki-tomcat/logging.properties

This link points to the default Certificate Authority logging configuration at /usr/share/pki/server/conf/logging.properties.

Additional resources

108.2. Directory Server log files

The following table presents directories and files that the Identity Management (IdM) Directory Server (DS) instance uses to log information. You can use the files and directories for troubleshooting DS-related problems.

Table 108.1. Directory Server log files

Directory or fileDescription

/var/log/dirsrv/slapd-REALM_NAME/

Log files associated with the DS instance used by the IdM server. Most operational data recorded here are related to server-replica interactions.

/var/log/dirsrv/slapd-REALM_NAME/audit

Contains audit trails of all Directory Server operations when auditing is enabled in the Directory Server configuration.

/var/log/dirsrv/slapd-REALM_NAME/access

Contain detailed information about attempted access and operations for the domain DS instance.

/var/log/dirsrv/slapd-REALM_NAME/errors

Additional resources

108.3. Enabling audit logging on an IdM server

This procedure describes how to enable logging on an Identity Management (IdM) server for audit purposes. Using detailed logs, you can monitor data, troubleshoot issues, and examine suspicious activity on the network.

Note

The LDAP service may become slower if there are many LDAP changes logged, especially if the values are large.

Prerequisites

  • The Directory Manager password

Procedure

  1. Bind to the LDAP server: 

    $ ldapmodify -D "cn=Directory Manager" -W << EOF
  2. Press [Enter].

  3. Specify all the modifications you want to make, for example: 

    dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
-
replace:nsslapd-auditlog
nsslapd-auditlog: /var/log/dirsrv/slapd-REALM_NAME/audit
-
replace:nsslapd-auditlog-mode
nsslapd-auditlog-mode: 600
-
replace:nsslapd-auditlog-maxlogsize
nsslapd-auditlog-maxlogsize: 100
-
replace:nsslapd-auditlog-logrotationtime
nsslapd-auditlog-logrotationtime: 1
-
replace:nsslapd-auditlog-logrotationtimeunit
nsslapd-auditlog-logrotationtimeunit: day
  4. Indicate the end of the ldapmodify command by entering EOF on a new line.
  5. Press [Enter] twice.
  6. Repeat the previous steps on all the other IdM servers on which you want to enable audit logging.

Verification

  • Open the /var/log/dirsrv/slapd-REALM_NAME/audit file: 

    389-Directory/1.4.3.231 B2021.322.1803
server.idm.example.com:636 (/etc/dirsrv/slapd-IDM-EXAMPLE-COM)

time: 20220607102705
dn: cn=config
result: 0
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
[...]

    The fact that the file is not empty anymore confirms that auditing is enabled.

    Important

    The system logs the bound LDAP distinguished name (DN) of the entry that makes a change. For this reason, you might have to post-process the log. For example, in the IdM Directory Server, it is an ID override DN that represents the identity of an AD user that modified a record: 

    $ modifiersName: ipaanchoruuid=:sid:s-1-5-21-19610888-1443184010-1631745340-279100,cn=default trust view,cn=views,cn=accounts,dc=idma,dc=idm,dc=example,dc=com

    Use the pysss_nss_idmap.getnamebysid Python command to look up an AD user if you have the user SID: 

    >>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid('S-1-5-21-1273159419-3736181166-4190138427-500'))
{'S-1-5-21-1273159419-3736181166-4190138427-500': {'name': 'administrator@ad.vm', 'type': 3}}

Additional resources

108.4. The IdM Apache server log files

The following table presents directories and files that the Identity Management (IdM) Apache Server uses to log information.

Table 108.2. Apache Server log files

Directory or FileDescription

/var/log/httpd/

Log files for the Apache web server.

/var/log/httpd/access_log

 Standard access and error logs for Apache servers. Messages specific to IdM are recorded along with the Apache messages because the IdM web UI and the RPC command-line interface use Apache. The access logs log mostly only the user principal and the URI used, which is often an RPC endpoint. The error logs contain the IdM server logs.

/var/log/httpd/error_log

Additional resources

108.5. Certificate System log files in IdM

The following table presents directories and files that the Identity Management (IdM) Certificate System uses to log information.

Table 108.3. Certificate System log files

Directory or FileDescription

/var/log/pki/pki-ca-spawn.time_of_installation.log

The installation log for the IdM CA.

/var/log/pki/pki-kra-spawn.time_of_installation.log

The installation log for the IdM Key Recovery Authority (KRA).

/var/log/pki/pki-tomcat/

The top level directory for PKI operation logs. Contains CA and KRA logs.

/var/log/pki/pki-tomcat/ca/

Directory with logs related to certificate operations. In IdM, these logs are used for service principals, hosts, and other entities which use certificates.

/var/log/pki/pki-tomcat/kra

Directory with logs related to KRA.

/var/log/messages

Includes certificate error messages among other system messages.

Additional resources

108.6. Kerberos log files in IdM

The following table presents directories and files that Kerberos uses to log information in Identity Management (IdM).

Table 108.4. Kerberos Log Files

Directory or FileDescription

/var/log/krb5kdc.log

The primary log file for the Kerberos KDC server.

/var/log/kadmind.log

The primary log file for the Kerberos administration server.

Locations for these files is configured in the krb5.conf file. They can be different on some systems.

108.7. DNS log files in IdM

The following table presents directories and files that DNS uses to log information in Identity Management (IdM).

Table 108.5. DNS log files

Directory or FileDescription

/var/log/messages

Includes DNS error messages among other system messages. DNS logging in this file is not enabled by default. To enable it, enter the # /usr/sbin/rndc querylog command. The command results in the following lines being added to var/log/messages:

Jun 26 17:37:33 r8server named-pkcs11[1445]: received control channel command 'querylog'
Jun 26 17:37:33 r8server named-pkcs11[1445]: query logging is now on

To disable logging, run the command again.

108.8. Custodia log files in IdM

The following table presents directories and files that Custodia uses to log information in Identity Management (IdM).

Table 108.6. Custodia Log Files

Directory or FileDescription

/var/log/custodia/

Log file directory for the Custodia service.

108.9. Additional resources

  • Viewing Log Files. You can use journalctl to view the logging output of systemd unit files.