Menu Close
Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 108. IdM log files and directories
Use the following sections to monitor, analyze, and troubleshoot the individual components of Identity Management (IdM):
Additionally, you can monitor, analyze, and troubleshoot the IdM server and client and enable audit logging on an IdM server.
108.1. IdM server and client log files and directories
The following table presents directories and files that the Identity Management (IdM) server and client use to log information. You can use the files and directories for troubleshooting installation errors.
Directory or File | Description |
---|---|
| The installation log for the IdM server. |
| The installation log for the IdM replica. |
| The installation log for the IdM client. |
| Log files for SSSD. You can enable detailed logging for SSSD in the sssd.conf file or with the sssctl command. |
|
The log file for errors returned by RPC calls and responses by the |
| The log rotation policies for DNS, SSSD, Apache, Tomcat, and Kerberos. |
|
This link points to the default Certificate Authority logging configuration at |
108.2. Directory Server log files
The following table presents directories and files that the Identity Management (IdM) Directory Server (DS) instance uses to log information. You can use the files and directories for troubleshooting DS-related problems.
Table 108.1. Directory Server log files
Directory or file | Description |
---|---|
| Log files associated with the DS instance used by the IdM server. Most operational data recorded here are related to server-replica interactions. |
| Contains audit trails of all Directory Server operations when auditing is enabled in the Directory Server configuration. |
| Contain detailed information about attempted access and operations for the domain DS instance. |
|
Additional resources
108.3. Enabling audit logging on an IdM server
This procedure describes how to enable logging on an Identity Management (IdM) server for audit purposes. Using detailed logs, you can monitor data, troubleshoot issues, and examine suspicious activity on the network.
The LDAP service may become slower if there are many LDAP changes logged, especially if the values are large.
Prerequisites
- The Directory Manager password
Procedure
Bind to the LDAP server:
$ ldapmodify -D "cn=Directory Manager" -W << EOF
- Press [Enter].
Specify all the modifications you want to make, for example:
dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on - replace:nsslapd-auditlog nsslapd-auditlog: /var/log/dirsrv/slapd-REALM_NAME/audit - replace:nsslapd-auditlog-mode nsslapd-auditlog-mode: 600 - replace:nsslapd-auditlog-maxlogsize nsslapd-auditlog-maxlogsize: 100 - replace:nsslapd-auditlog-logrotationtime nsslapd-auditlog-logrotationtime: 1 - replace:nsslapd-auditlog-logrotationtimeunit nsslapd-auditlog-logrotationtimeunit: day
-
Indicate the end of the
ldapmodify
command by entering EOF on a new line. - Press [Enter] twice.
- Repeat the previous steps on all the other IdM servers on which you want to enable audit logging.
Verification
Open the
/var/log/dirsrv/slapd-REALM_NAME/audit
file:389-Directory/1.4.3.231 B2021.322.1803 server.idm.example.com:636 (/etc/dirsrv/slapd-IDM-EXAMPLE-COM) time: 20220607102705 dn: cn=config result: 0 changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on [...]
The fact that the file is not empty anymore confirms that auditing is enabled.
ImportantThe system logs the bound LDAP distinguished name (DN) of the entry that makes a change. For this reason, you might have to post-process the log. For example, in the IdM Directory Server, it is an ID override DN that represents the identity of an AD user that modified a record:
$ modifiersName: ipaanchoruuid=:sid:s-1-5-21-19610888-1443184010-1631745340-279100,cn=default trust view,cn=views,cn=accounts,dc=idma,dc=idm,dc=example,dc=com
Use the
pysss_nss_idmap.getnamebysid
Python command to look up an AD user if you have the user SID:>>> import pysss_nss_idmap >>> pysss_nss_idmap.getnamebysid('S-1-5-21-1273159419-3736181166-4190138427-500')) {'S-1-5-21-1273159419-3736181166-4190138427-500': {'name': 'administrator@ad.vm', 'type': 3}}
Additional resources
108.4. The IdM Apache server log files
The following table presents directories and files that the Identity Management (IdM) Apache Server uses to log information.
Table 108.2. Apache Server log files
Directory or File | Description |
---|---|
| Log files for the Apache web server. |
| Standard access and error logs for Apache servers. Messages specific to IdM are recorded along with the Apache messages because the IdM web UI and the RPC command-line interface use Apache. The access logs log mostly only the user principal and the URI used, which is often an RPC endpoint. The error logs contain the IdM server logs. |
|
Additional resources
- Log Files in the Apache documentation
108.5. Certificate System log files in IdM
The following table presents directories and files that the Identity Management (IdM) Certificate System uses to log information.
Table 108.3. Certificate System log files
Directory or File | Description |
---|---|
| The installation log for the IdM CA. |
| The installation log for the IdM Key Recovery Authority (KRA). |
| The top level directory for PKI operation logs. Contains CA and KRA logs. |
| Directory with logs related to certificate operations. In IdM, these logs are used for service principals, hosts, and other entities which use certificates. |
| Directory with logs related to KRA. |
| Includes certificate error messages among other system messages. |
Additional resources
- Configuring subsystem logs in the Red Hat Certificate System Administration Guide
108.6. Kerberos log files in IdM
The following table presents directories and files that Kerberos uses to log information in Identity Management (IdM).
Table 108.4. Kerberos Log Files
Directory or File | Description |
---|---|
| The primary log file for the Kerberos KDC server. |
| The primary log file for the Kerberos administration server. |
Locations for these files is configured in the |
108.7. DNS log files in IdM
The following table presents directories and files that DNS uses to log information in Identity Management (IdM).
Table 108.5. DNS log files
Directory or File | Description |
---|---|
|
Includes DNS error messages among other system messages. DNS logging in this file is not enabled by default. To enable it, enter the
Jun 26 17:37:33 r8server named-pkcs11[1445]: received control channel command 'querylog' To disable logging, run the command again. |
108.8. Custodia log files in IdM
The following table presents directories and files that Custodia uses to log information in Identity Management (IdM).
Table 108.6. Custodia Log Files
Directory or File | Description |
---|---|
| Log file directory for the Custodia service. |
108.9. Additional resources
-
Viewing Log Files. You can use
journalctl
to view the logging output ofsystemd
unit files.