Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 94. Collecting IdM Healthcheck information
Healthcheck has been designed as a manual command line tool which should help you to identify possible problems in Identity Management (IdM).
You can create a collection of logs based on the Healthcheck output with 30-day rotation.
Prerequisites
- The Healthcheck tool is only available on RHEL 8.1 or newer
94.1. Healthcheck in IdM
The Healthcheck tool in Identity Management (IdM) helps find issues that may impact the health of your IdM environment.
The Healthcheck tool is a command line tool that can be used without Kerberos authentication.
Modules are Independent
Healthcheck consists of independent modules which test for:
- Replication issues
- Certificate validity
- Certificate Authority infrastructure issues
- IdM and Active Directory trust issues
- Correct file permissions and ownership settings
Two output formats
Healthcheck generates the following outputs, which you can set using the output-type
option:
-
json
: Machine-readable output in JSON format (default) -
human
: Human-readable output
You can specify a different file destination with the --output-file
option.
Results
Each Healthcheck module returns one of the following results:
- SUCCESS
- configured as expected
- WARNING
- not an error, but worth keeping an eye on or evaluating
- ERROR
- not configured as expected
- CRITICAL
- not configured as expected, with a high possibility for impact
94.2. Log rotation
Log rotation creates a new log file every day, and the files are organized by date. Since log files are saved in the same directory, you can select a particular log file according to the date.
Rotation means that there is configured a number for max number of log files and if the number is exceeded, the newest file rewrites and renames the oldest one. For example, if the rotation number is 30, the thirty-first log file replaces the first (oldest) one.
Log rotation reduces voluminous log files and organizes them, which can help with analysis of the logs.
94.3. Configuring log rotation using the IdM Healthcheck
Follow this procedure to configure a log rotation with:
-
the
systemd
timer -
the
crond
service
The systemd
timer runs the Healthcheck tool periodically and generates the logs. The default value is set to 4 a.m. every day.
The crond
service is used for log rotation.
The default log name is healthcheck.log
and the rotated logs use the healthcheck.log-YYYYMMDD
format.
Prerequisites
- You must execute commands as root.
Procedure
Enable a
systemd
timer:# systemctl enable ipa-healthcheck.timer Created symlink /etc/systemd/system/multi-user.target.wants/ipa-healthcheck.timer -> /usr/lib/systemd/system/ipa-healthcheck.timer.
Start the
systemd
timer:# systemctl start ipa-healthcheck.timer
Open the
/etc/logrotate.d/ipahealthcheck
file to configure the number of logs which should be saved.By default, log rotation is set up for 30 days.
In the
/etc/logrotate.d/ipahealthcheck
file, configure the path to the logs.By default, logs are saved in the
/var/log/ipa/healthcheck/
directory.In the
/etc/logrotate.d/ipahealthcheck
file, configure the time for log generation.By default, a log is created daily at 4 a.m.
To use log rotation, ensure that the
crond
service is enabled and running:# systemctl enable crond # systemctl start crond
To start with generating logs, start the IPA healthcheck service:
# systemctl start ipa-healthcheck
To verify the result, go to /var/log/ipa/healthcheck/
and check if logs are created correctly.
94.4. Changing IdM Healthcheck configuration
You can change Healthcheck settings by adding the desired command line options to the /etc/ipahealthcheck/ipahealthcheck.conf
file. This can be useful when, for example, you configured a log rotation and want to ensure the logs are in a format suitable for automatic analysis, but do not want to set up a new timer.
This Healthcheck feature is only available on RHEL 8.7 and newer.
After the modification, all logs that Healthcheck creates follow the new settings. These settings also apply to any manual execution of Healthcheck.
When running Healthcheck manually, settings in the configuration file take precedence over options specified in the command line. For example, if output_type
is set to human
in the configuration file, specifying json
on the command line has no effect. Any command line options you use that are not specified in the configuration file are applied normally.
Additional resources
94.5. Configuring Healthcheck to change the output logs format
Follow this procedure to configure Healthcheck with a timer already set up. In this example, you configure Healthcheck to produce logs in a human-readable format and to also include successful results instead of only errors.
Prerequisites
- Your system is running RHEL 8.7 or later.
-
You have
root
privileges. - You have previously configured log rotation on a timer.
Procedure
-
Open the
/etc/ipahealthcheck/ipahealthcheck.conf
file in a text editor. -
Add options
output_type=human
andall=True
to the[default]
section. - Save and close the file.
Verification
Run Healthcheck manually:
# ipa-healthcheck
-
Go to
/var/log/ipa/healthcheck/
and check that the logs are in the correct format.
Additional resources