Directory Server, Version 6.1

---

 

Logging Utilities

The IBM® Tivoli® Directory Server provides several logging utilities that can be viewed either through the Web Administration Tool or the system command line.

• Modifying default log settings

• Modifying administration daemon error log settings

• Enabling the administration daemon audit log and modifying administration audit log settings

• Enabling the audit log and modifying audit log settings

• Modifying bulkload error log settings

• Modifying configuration tools log settings

• Modifying DB2 error log settings

• Modifying lost and found log settings

• Modifying the server error log

Notes:

1. In the Web Administration Tool the Logfiles link in each task title bar accesses the Web Administration console log files. The IBM Tivoli Directory Server log files are accessible by using the procedures specified in the following sections.

2. On Windows-based systems, if a path begins with the drive letter and a colon, it is assumed to be the full path. A path without the drive letter, starts in the installation tree. As examples: c:\tmp\mylog is a full path, while \tmp\mylog is interpreted as c:\idsslapd-<instancename>\tmp\mylog.

Only the administrator or members of the administrative group can view or access log information.

 

Default log paths

The default log path for all logs is:

UNIX® path:

<instance base directory>/idsslapd-<instance name>/logs 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

Windows® path:

<drive>\idsslapd-<instance name>\logs

Where:

• drive is the drive you specified when you created a directory server instance.

• instance name is the name of the directory server instance.

 

Log management tool

Note:

The log management tool requires that you have the IBM Tivoli Directory Integrator installed.

The log management tool enables the LDAP administrator to limit the size of log files. The tool process, idslogmgmt, wakes up every 15 minutes, checks the log files sizes, and moves log files that exceed the maximum log size threshold into an archive file. The number of archived logs can also be limited. Except for the administrative tools' and the idslogmgmt's log , the configuration settings for the logs are located in the ibmslapd configuration file. See the IBM Tivoli Directory Server version 6.1 Installation and Configuration Guide for more information. Also see the idslogmgmt command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information.

Attention: The TDS server may crash if the size of any log file exceeds the size of the system file size limit. Such a situation may typically occur when tracing is enabled on the server.

 

Default log management

A new configuration entry is created for the default log file management. This entry contains the default log settings for the all logs with the exception of the ibm-slapdLog attribute. These settings can be overridden in the specific log management entries described in the following section. By default the entry will not have attributes; hence, there will be no log limits enforced. Here is the description of the entry:

dn: cn=default, cn=Log Management, cn=Configuration
ibm-slapdLogSizeThreshold:
ibm-slapdLogMaxArchives:
ibm-slapdLogArchivePath:
objectclass: top
objectclass: ibm-slapdLogConfig
objectclass: ibm-slapdConfigEntry
objectclass: container

The following attributes are defined:

ibm-slapdLogSizeThreshold

When this size threshold, in MB, is exceeded the file will be archived.

ibm-slapdLogMaxArchives

The maximum number of archived logs.

ibm-slapdLogArchivePath

The path where the archived logs will be placed.

By default, the idslogmgmt application logs data to the following file on UNIX:

/var/idsldap/V6.1/idslogmgmt.log

and to the following file on Windows:

<install_directory>\var\idslogmgmt.log

The following are the default values for the log management of idslogmgmt.log:

• The default threshold is 10 MB.

• The maximum number of archive files is 3.

• The archive location will be the same as the original log location.

 

Modifying default log settings

If you have the Log Management Tool and IBM Tivoli Directory Integrator installed, or we can set the default maximum log size threshold, the maximum number of log archives, and Log archive path values. For example, if you want all the log to keep only three archived logs, we can set the maximum log archives value to three for all the logs using the default settings.

Individual log settings override default log settings. The default log settings have no values by default.

Use the following procedures to modify log settings. The default log settings apply to all logs.

Note:

When the Web admin tool is used to access the admin daemon:

• The status bar on the Modify log settings panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.

• The Modify log setings panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.

 

Using the Web Administration Tool

To modify default log settings:

1. Click Server administration in the Web Administration navigation area and then click Logs in the expanded list.

2. Click Modify log settings.

3. Click Default log settings.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Default, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>

 

Modifying administration daemon error log settings

An administration daemon is a limited LDAP server that accepts extended operations to stop, start, and restart the LDAP server. The administration daemon error log (idsdiradm.log is the default file name) enables you to view status and errors encountered by the administration daemon.

To modify the administration daemon error log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration Tool

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Admin daemon log.

3. Enter the path and file name for the administration daemon error log. Ensure that the file exists on the LDAP server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

8. You must stop the server for changes to take effect. See Starting and stopping the server. After stopping the server also stop and start the administration daemon locally to resynchronize the ports.

   • Issue the commands:

     ibmdirctl -D <AdminDN> -w <AdminPW> -p <portnumber> stop
     
     ibmdirctl -D <AdminDN> -w <AdminPW>  admstop
     
     idsdiradm
     
     ibmdirctl -D <AdminDN> -w <AdminPW>  -p <portnumber> start
     

   • For Windows systems, we can also:

     1. Go to Control Panel->Administrative Tools->Services.

     2. Select IBM Tivoli Directory Admin Daemon V6.1 – <InstanceName> .

     3. Do one of the following:

        • Click Action -> Stop.

        • Click Stop the service.

     4. Select IBM Tivoli Directory Admin Daemon V6.1 – <InstanceName>.

     5. Do one of the following:

        • Click Action -> Start.

        • Click Start the service.
   Restart the server.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Admin, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>

You must stop the server for changes to take effect. After stopping the server also stop and start the administration daemon locally to resynchronize the ports. Start the server.

ibmdirctl -D <AdminDN> -w <AdminPW> -p <portnumber> stop

ibmdirctl -D <AdminDN> -w <AdminPW>  admstop

idsdiradm

ibmdirctl -D <AdminDN> -w <AdminPW>  -p <portnumber> start

 

Enabling the administration daemon audit log and modifying administration audit log settings

Audit logging is used to improve the security of the directory server. The directory administrator and administrative group members who are assigned AuditAdmin or ServerConfigGroupMember role can use the records stored in the audit log to check for suspicious patterns of activity in an attempt to detect security violations. If security is violated, the administration daemon audit log (adminaudit.log is the default file name) can be used to determine how and when the problem occurred and perhaps the amount of damage done.

Note:

Failed connection attempts are audited only if they fail after reaching the LDAP server. Connections that fail in the SSL layer, network, or operating system layer are not audited.

Note:

Members of the administrative group can view the administration daemon audit log and settings but not modify them. Only the administrator is enabled to access, change or clear the administration daemon audit log files.

To modify the administration audit log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

Note:

The administration daemon audit log audits binds, unbinds, searches and extended operations.

 

Using Web Administration Tool

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Admin daemon audit log.

3. Select Enable admin daemon audit logging to use the audit log utility with the administration daemon.
   Note:

   The default setting is enabled. You only need to select the check box, if you have previously disabled the administration daemon audit log.

4. Enter the path and file name for the administration daemon audit log. Ensure that the file exists on the ldap server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

5. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

6. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

7. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

8. Under Operations to log, do the following:

   • Select the Bind check box to enable logging for bind operation. Otherwise, to disable logging for bind operation, clear the check box.

   • Select the Unbind check box to enable logging for unbind operation. Otherwise, to disable logging for unbind operation, clear the check box.

   • Select the Extended operations check box to enable logging for extended operations. Otherwise, to disable logging for extended operations, clear the check box.

9. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

10. You must stop the server for changes to take effect. See Starting and stopping the server. After stopping the server also stop and start the administration daemon locally to resynchronize the ports.

    • Issue the commands:

      ibmdirctl -D <AdminDN> -w <Adminpw> admstop
      
      idsdiradm

    • For Windows systems, we can also:

      1. Through the Control Panel, open the Services window.

      2. Click Directory Admin Daemon.

      3. Click Action -> Stop.

      4. Click Directory Admin Daemon.

      5. Click Action -> Start.
    Restart the server.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Admin Audit, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-audit
ibm-audit: true
-
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>

You must stop and restart the server for changes to take effect. After stopping the Admin Daemon issue a dynamic update request to the LDAP server.

ibmdirctl -D <AdminDN> -w <adminPW>  admstop

idsdiradm

idsldapexop -D <AdminDN> -w <adminPW>  -op readconfig -scope 
         entry "cn=Admin Audit,cn=Log Management,c=Configuration"

 

Disabling the administration daemon audit log

To disable audit logging:

 

Using Web Administration:

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Admin daemon audit log.

3. Deselect Enable admin daemon audit logging.

4. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Admin Audit, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-audit
ibm-audit: false

Note:

You need to restart the Admin Daemon only.

 

Enabling the audit log and modifying audit log settings

Audit logging is used to improve the security of the directory server. A default audit plug-in is provided with the server. Depending on the audit configuration parameters, this plug-in might log an audit entry in the default or specified audit log for each LDAP operation the server processed. The administrator can use the activities stored in the audit log to check for suspicious patterns of activity in an attempt to detect security violations. If security is violated, the audit log can be used to determine how and when the problem occurred and perhaps the amount of damage done. This information is very useful, both for recovery from the violation and, possibly, in the development of better security measures to prevent future problems. We can also write your own audit plug-ins to either replace, or add more processing to, the default audit plug-in. For more information about plug-ins, see the IBM Tivoli Directory Server Plug-ins Reference Version 6.1.

Note:

Failed connection attempts are audited only if they fail after reaching the LDAP server. Connections that fail in the SSL layer, network, or operating system layer are not audited.

The audit log displays log entries chronologically. Each non-message entry contains a general information header followed by operation-specific data. For example,

2000-03-23-16:01:01.345-06:00--V3 Bind--bindDN:cn=root
   --client:9.1.2.3:12345--
ConnectionID:12--received:2000-03-23-16:01:01.330-06:00
   --success 
name:  cn=root
authenticationChoice: simple

If the audit version is version 2 the header contains "AuditV2--".

AuditV2--2003-07-22-09:39:54.421-06:00DST--V3 Bind--bindDN: cn=root--client: 127
.0.0.1:8196--connectionID: 3--received: 2003-07-22-09:39:54.421-06:00DST--Success

If the audit version is version 3 the header contains "AuditV3--"

AuditV3--2003-07-22-09:39:54.421-06:00DST--V3 Bind--bindDN: cn=root--client: 127
.0.0.1:8196--connectionID: 3--received: 2003-07-22-09:39:54.421-06:00DST--Success
UniqueID:

Note:

For an operation, one of the following is printed:

• Unknown

• Bind

• Unbind

• Search

• Add

• Modify

• Delete

• ModifyDN

• event notification: registration

• event notification: unregister

• extended operation

• Compare

The header is in the following format:

Timestamp 1 "--"

The local time the entry is logged, that is, the time the request was processed. The timestamp is in the format YYYY-MM-DD-HH:MM:SS.mmm=(or-)HH:MM. The =(or=)HH:MM is UTC offset. mmm is milliseconds.

Version number+[SSL|TLS]+[unauthenticated or anonymous] Operation "--"

Shows the LDAP request that was received and processed. Version number is either V2 or V3. SSL displays only when SSL was used for the connection. TLS displays only when TLS is used for the connection. unauthenticated or anonymous displays to indicate whether the request was from an unauthenticated or anonymous client. Neither unauthenticated or anonymous display if the request is from an authenticated client.

bindDN:

Shows the bind DN. For V3 unauthenticated or anonymous requests, this field is <*CN=NULLDN*>.

client:Client IP address:Port number "--"

Shows the client IP address and port number.

ConnectionID: xxxx "--"

Is used to group all the entries received in the same connection, meaning between the bind and unbind, together.

received: Timestamp 2 "--"

Is the local time when the request was received, or to be more specific, the beginning time when the request was processed. Its format is the same as Timestamp 1.

Result or Status string

Shows the result or status of the LDAP operation. For the result string, the textual form of the LDAP resultCode is logged, for example, success or operationsError, instead of 0 or 1.

UniqueID

The uniqueID is the unique request ID to store in the control. The clientIP is the client's original IP to store in the control. If critical is true the criticality of the control will be set to true; if false the criticality will be set to false.

Operation-specific data follows the header and displays operation-specific data, for example,

• Bind operations

  name: Y249bWFuYWdlcg0K 
  authenticationChoice: simple                  

• Add operations

  entry: cn=Jim Brown, ou=sales,o=ibm_us,c=us 
  attributes: objectclass, cn, sn, telphonenumber                 

• Delete operations

  entry:  cn=Jim Brown, ou=sales,o=ibm_us,c=us                

• Modify operations

  object: cn=Jim Brown, ou=sales,o=ibm_us,c=us 
  add: mail 
  delete: telephonenumber                  

By default the audit log is disabled.

Note:

Members of the administrative group can view the audit log and settings but not modify them. Only the administrator is enabled to access, change or clear the audit log files.

To enable audit logging and modify logging settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Audit log.
   Note:

   • The directory administrator and administrative group members are the only users who can access this panel.

   • On some platforms, logging is provided through standard operating system logging mechanisms. On these platforms, this panel cannot be used to configure directory server logs. For example, on an OS/400® platform, the directory server job log contains all server messages. However, in the case of i5/OS® directory server version 6.1 and above, the Audit log panel is displayed and directory server logs for audit can be configured.

   • If you have the Log Management Tool installed, we can set the Log size threshold, Maximum log archives, and Log archive path values. Values entered into these fields will not take effect if the Log Management Tool is not installed. See the IBM Tivoli Directory Server 6.1 Problem Determination Guide for more information about the Log Management Tool.

3. Select Enable audit logging to use the audit log utility.

4. Enter the Path and file name for the audit log. The audit log can also be directed to something other than a file, for example, a line printer. Ensure that the file exists on the ldap server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

5. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

6. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

7. Under Audit version, select the audit version you want to use. Version 1 maintains previous audit logging capabilities for any applications that parse the audit log. Version 2 enables you to log extended operations, however, you might need to modify existing applications that parse the audit log. Version 3, the default value, also writes out a unique ID, if the server generates one for the request. The unique ID only appears on the proxy server and is printed between the header information and any control data.

8. Under Audit log level, do one of the following:

   • If you want to log only failed attempts, select the Only failed attempts radio button.

   • If you want to log all attempts, select the All attempts radio button.

9. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

10. Select the operations you wish to log. Consult the field help for additional information about the various operations we can log.

    • Bind - records connections to the server

    • Unbind - records disconnections from the server

    • Search - records LDAP search operations performed by any client

    • Add - records additions to LDAP

    • Modify - records modifications to LDAP

    • Delete - records deletions from LDAP

    • Compare - records compare operations

    • Modify RDN - records modifications made to RDNs

    • Event notification - records event notifications

    • Extended operations- records extended operations performed against the server

    • Group values sent on group control - records the groups defined in the group control.

    • Attributes sent on group evaluation extended operation - records attributes sent with the group evaluation extended operation.

11. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Audit, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-audit
ibm-audit: true
-
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>
-
replace: ibm-auditadd
ibm-auditadd: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditbind
ibm-auditbind: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditdelete
ibm-auditdelete: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditextopevent
ibm-auditextopevent: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditfailedoponly
ibm-auditfailedoponly: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditmodify
ibm-auditmodify: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditmodifydn
ibm-auditmodifydn: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditsearch
ibm-auditsearch: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditunbind
ibm-auditunbind: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditversion
ibm-auditversion: {1|2|3}
#select 2 or 3, if you are enabling audit of additional information on controls
-
replace: ibm-auditExtOp
ibm-auditExtOp: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
-
replace: ibm-auditCompare
ibm-auditCompare: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditGroupsOnGroupControl
ibm-auditGroupsOnGroupControl: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable
-
replace: ibm-auditAttributesOnGroupEvalOp
ibm-auditAttributesOnGroupEvalOp: {TRUE|FALSE}
#select TRUE to enable, FALSE to disable

 

Disabling the audit log

To disable audit logging use one of the following methods:

 

Using Web Administration:

Click Server administration in the Web Administration navigation area and then click Logs in the expanded list.

1. Click Modify log settings.

2. Click Audit log.

3. Deselect Enable audit logging.

4. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Audit, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-audit
ibm-audit: false

 

Performance profiling

The IBM Tivoli directory server (TDS) provides information about the run-time performance of the server using a performance trace based on the independent trace facility (ldtrc). Additionally, TDS also provides information indicative of performance hotspots during operation execution in the audit record for each operation. Hence, the server can publish performance information in:

• A performance trace, based on the independent trace facility.

• Audit logs.

 

Performance profiling through the independent trace facility

The performance profile information in trace is intended to help users diagnose performance problems. By using the independent trace facility, performance profiling is accomplished with minimum impact on server performance. The independent trace facility profiles operation performance that consists of timestamps at key points traversed during an operation execution for a running server instance. The timestamps are profiled during different stages such as the following:

• RDBM search processing

• RDBM bind processing

• RDBM compare processing

• RDBM write processing

Note:

Timestamp collection points for individual operations are provided only for the RDBM backend.

The instance configuration option ibm-slapdStartupTraceEnabled governs the tracing of performance records at server startup. With dynamic tracing (ldaptrace client utility), the independent trace utility can be made to start or stop collecting performance records after server startup. To activate tracing of performance records dynamically, do the following:

1. Activate tracing for performance records. To do this, issue the following command:

   ldaptrace -h <hostname> -p <port number> -D <adminDN> -w <adminpwd> -l on -t start -- -perf

2. Dump the trace to a binary trace file. To do this, issue the following command:

   ldtrc dmp trace.bin 

3. Format the trace. To do this, issue the following command:

   ldtrc fmt trace.bin trace.txt 

After formatting the trace we can analyze the trace and diagnose performance problems. To turn off tracing, issue the following command:

ldtrc off

Given below is an example of formatted performance trace:

prf_entry LD PERF FrontEnd::operation_in_workQ (3.100.98.1.1.0)
pid 10255; tid 1167334320; sec 1159183071; nsec 84815000
En-queue bind op; Worker thread ID 1133718448; 
Work Q size now = 1; client conn (9.124.231.39: conn ID 1)

 

Auditing for performance profiling

Tracing timestamps using the independent trace facility gives a detailed performance profile. However, to identify performance bottlenecks during operation execution, we can also check the audit log for the summary figures indicating performance hotspots. These hotspots are best provided as a summary. For instance, the operation response time, time spent in worker queue, the accumulated RDBM lock wait times, and time spent in client I/O per operation. Following are the hotspots identified for auditing:

• When an operation has to wait in the worker thread queue for a long time before the worker thread actually starts executing the operation.

• The time spent for cache contention inside the backend needs to be tracked.

• The time spent in handling client I/O, that is, the time spent in receiving the request and returning the result. This value can also be used for detecting bottlenecks because of slow clients or network issues.

For each operation, performance data field in the audit records is controlled using the configuration option "ibm-auditPerformance". The value of the "ibm-auditPerformance" field is 'false' by default and therefore no performance data will be collected and published by default.

When the value of the "ibm-auditPerformance" field is set to 'true', performance data will be collected and published in the audit logs for each operation that is enabled to be audited.

If the "ibm-auditPerformance" field is enabled, that is, set to 'true', in audit record section four performance data fields are audited: operationResponseTime, timeOnWorkQ, rdbmLockWaitTime, and clientIOTime. The value of these performance data fields is in milliseconds. A brief description of the performance data fields is given below:

• operationResponseTime - This field represents the time difference in milliseconds between the time the operation was received and the time its response was sent. The operation received time and the response sent time of an operation are published in audit v3 header.

• timeOnWorkQ - This field represents time in milliseconds spent in the worker queue before execution is initiated on the operation. The value of this field is the difference between the time execution was initiated and the time the operation was received.

• rdbmLockWaitTime - This field represents time in milliseconds spent in acquiring locks over RDBM caches during operation execution. The value in this field helps administrators to determine the time spent for cache contention against real work.

  The lock wait time over the following resources are also considered.

  • Resource cache

  • DN cache

  • Entry cache

  • Filter cache

  • Attribute cache

  • Deadlock detector

  • RDBM locks

• clientIOTime - This field represents time in milliseconds that was spent in receiving the complete operation request and returning the complete operation response. This field is implemented in the operation structure and is updated on receiving the complete BER for operation request and on successfully returning the response BER message for the operation.

An example of the audit version 3 format for a search operation issued when ibm-auditPerformance is enabled will look like:

AuditV3--2006-09-09-10:49:01.863-06:00DST--V3 Search--bindDN: 
cn=root--client: 127.0.0.1:40722--connectionID: 2--received: 
2006-09-09-10:49:01.803-06:00DST--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
base: o=sample
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (&(cn=C*)(sn=A*))
operationResponseTime: 591
timeOnWorkQ: 1
rdbmLockWaitTime: 0
clientIOTime: 180

To enable audit for performance data, use one of the following methods:

 

Using Web Administration

1. Expand Logs under Server administration in the navigation area and click Modify log settings.

2. Click Audit log.

3. Under audit performance data, select the Enable audit for performance data check box to log performance data related to the server in the audit log.

 

Using command line

Issue the following command to enable audit for performance data:

ldapmodify -h <hostname> -p <port number> -D <adminDN>  -w <adminpwd>
dn: cn=Audit,cn=Log Management,Configuration
changetype: modify
replace: ibm-auditPerformance
ibm-auditPerformance: true

 

Modifying bulkload error log settings

Bulkload is used for loading entries. The bulkload log allows you to view status and errors related to bulkload. See the idsbulkload command information in the IBM Tivoli Directory Server version 6.1 Command Reference for more information.

To modify the bulkload log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Bulkload log.

3. Enter the path and file name for the error log. Ensure that the file exists on the ldap server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

cn=Bulkload, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>
-

To update the settings dynamically, issue the following idsldapexop command:

idsldapexop -D <adminDN> -w <adminPW> -op readconfig -scope single 
      "cn=Bulkload, cn=Log Management, cn=Configuration" ibm-slapdLog

The idsldapexop command updates only those attributes that are dynamic. For other changes to take effect stop and restart the server. See Dynamically-changed attributes for a list of the attributes that can be updated dynamically.

 

Modifying configuration tools log settings

The configuration tools log enables you to view status and error messages related to the configuration tools, such as idscfgdb, idsucfgdb, idscfgchglog, idsucfgchglog, idscfgsuf, idsucfgsuf, idsdnpw, idsxcfg .

To modify the configuration tools log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Configuration tools log.

3. Enter the path and file name for the error log. Ensure that the file exists on the ldap server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Tools, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>

 

Modifying DB2 error log settings

The DB2® error log (db2cli.log is the default file name) records database errors that occur as a result of LDAP operations.

To modify the DB2 log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Server administration in the navigation area, click Logs, click Modify log settings, click DB2 log.

2. Enter the path and file name for the DB2 log. Ensure that the path is valid. If the file does not exist, it is created. The error log can also be directed to something other than a file, for example, a line printer. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

3. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

4. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

5. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

6. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line:

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=DB2CLI, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>
-

To update the settings dynamically, issue the following idsldapexop command:

idsldapexop -D <adminDN> -w <adminPW> -op readconfig -scope single 
      "cn=DB2CLI, cn=Log Management, cn=Configuration" ibm-slapdLog

The idsldapexop command updates only those attributes that are dynamic. For other changes to take effect stop and restart the server. See Dynamically-changed attributes for a list of the attributes that can be updated dynamically.

 

Modifying lost and found log settings

The lost and found log (LostAndFound.log is the default file name) records errors that occur as a result of a replication conflict.

To modify the lost and found log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Logs in the navigation area, click Modify log settings.

2. Click Lost and found log.
   Note:

   • The directory administrator and administrative group members are the only users who can access this panel.

   • On some platforms, logging is provided through standard operating system logging mechanisms. On these platforms, this panel cannot be used to configure or view directory server logs. For example, on an OS/400 platform, the directory server job log contains all server messages. However, in the case of i5/OS directory server version 6.1 and above, the Lost and found log panel is displayed and logs related to errors that occur as a result of a replication conflict can be recorded in the Lost and found log.

   • If you have the Log Management Tool installed, we can set the Log size threshold, Maximum log archives, and Log archive path values. Values entered into these fields will not take effect if the Log Management Tool is not installed. See the IBM Tivoli Directory Server Problem 6.1 Determination Guide for more information about the Log Management Tool.

3. Enter the path and file name for the error log. Ensure that the file exists on the ldap server and that the path is valid. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=Replication, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>

 

Modifying the server error log

The error log, ibmslapd.log (this is the default file name), is enabled by default. The error log enables you to view status and error messages related to the server.

To modify the error log settings, use one of the following methods. Remember that individual log settings override the Default log settings.

 

Using Web Administration

1. Expand Server administration in the navigation area, click Logs, click Modify log settings.

2. Click Server error log.

3. Enter the path and file name for the error log. Ensure that the path is valid. If the file does not exist, it is created. The error log can also be directed to something other than a file, for example, a line printer. See Default log paths for default log paths.
   Note:

   If you specify a file that is not an acceptable file name (for example, invalid syntax or if the server does not have the rights to create and/or modify the file), the attempt fails with the following error: LDAP Server is unwilling to perform the operation.

4. Under Log size threshold (MB) select the first radio button and enter the maximum log size in Megabytes. If you do not want to limit log size, select the Unlimited radio button instead.

5. Under Maximum log archives, select one of the following:

   • If you want to specify a maximum number of archived logs, select the radio button with an edit window next to it. Enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you do not want to archive logs, select No archives.

   • If you do not want to limit the number of archived logs, select Unlimited.

6. Under Log archive path, do one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Same directory as log file radio button.

7. Select either Low, Medium, or High for the level of error logging.

   • Low logs the least amount of error information, for example,

     Oct 06 10:33:02 2004 GLPSRV009I IBM Tivoli Directory (SSL), Version 6.0     
         Server started.

   • Medium logs a medium amount of error information, for example,

     Oct 06 10:35:41 2004 GLPCOM024I The extended Operation plugin is successfully 
         loaded from libloga.dll. 
     Oct 06 10:35:41 2004 GLPCOM003I Non-SSL port initialized to 389. 
     Oct 06 10:35:44 2004 GLPSRV009I IBM Tivoli Directory (SSL), Version 6.0     
         Server started.

   • High logs the most amount of error information, for example

     Oct 06 10:37:48 2004 GLPSRV047W Anonymous binds will be allowed. 
     Oct 06 10:37:48 2004 GLPCOM024I The extended Operation plugin is successfully 
         loaded from libloga.dll. 
     Oct 06 10:37:48 2004 GLPSRV003I Configuration file successfully read. 
     Oct 06 10:37:48 2004 GLPCOM003I Non-SSL port initialized to 389. 
     Oct 06 10:37:51 2004 GLPSRV009I IBM Tivoli Directory (SSL), Version 6.0     
         Server started. 

8. Click Apply to apply your changes and continue working with logs, or click OK to save your changes and to return to the IBM Tivoli Directory Server Web Administration Introduction panel. Click Cancel to return to the IBM Tivoli Directory Server Web Administration Introduction panel without saving any changes.

 

Using the command line

Issue the command:

idsldapmodify -D <adminDN> -w <adminPW> -i <filename>

where <filename> contains:

dn: cn=ibmslapd, cn=Log Management, cn=Configuration
changetype: modify
replace: ibm-slapdLog
ibm-slapdLog: <newpathname>
-
replace: ibm-slapdLogSizeThreshold
ibm-slapdLogSizeThreshold: <size threshold in MB>
-
replace: ibm-slapdLogMaxArchives
ibm-slapdLogMaxArchives: <number of log archives to save>
-
replace: ibm-slapdLogArchivePath
ibm-slapdLogArchivePath: <archived logs path>
-
replace: ibm-slapdLogOptions
ibm-slapdLogOptions: {l | m | h}

To update the settings dynamically, issue the following idsldapexop command:

idsldapexop -D <adminDN> -w <adminPW> -op readconfig -scope entire

The idsldapexop command updates only those attributes that are dynamic. For other changes to take effect stop and restart the server. See Dynamically-changed attributes for a list of the attributes that can be updated dynamically.

 

Start/stop server tracing

To start or stop server tracing use the following method

 

Using Web Administration:

If you have not done so already, click Server administration in the Web Administration navigation area and then click Logs in the expanded list. Next, click Start/stop server tracing.

On this panel, we can:

• Enable server tracing

• Set the level of trace debug data to be collected

• Specify the debug output file to which the trace information to be send

To enable trace facility:

1. Select the Enable server tracing check box to enable tracing for this server instance.

2. Specify a trace debug level in the Trace debug levels field.

3. Specify the file to which the trace information should be send in the Trace debug file field.

4. After you have finished, do one of the following:

   • Click OK to save the changes and return to the Introduction panel.

   • Click Cancel to discard changes made and return to the Introduction panel.

 

Viewing logs

The following sections show you how to view the IBM Tivoli Directory Server logs. For a selected log file, the View logs panel displays the most recent logs in the View log table in ascending order. The View log table displays 20 rows, where a logged item could span over one or more rows. We can navigate over the pages in the View log table by clicking the navigation arrow provided on the status bar of the table or by entering the page number in the field on the status bar and clicking Go.

 

View logs using Web Administration

To view a log using the Web Administration Tool, do the following:

1. Click Server administration in the Web Administration navigation area and then click Logs in the expanded list. Click View log.
   Note:

   • The directory administrator and administrative group members are the only users who can access this panel.

   • On some platforms, logging is provided through standard operating system logging mechanisms. On these platforms, this panel cannot be used to view directory server logs. For example, on an OS/400 platform, the directory server job log contains all server messages. However, in the case of i5/OS directory server version 6.0 and above, the Select log combo box will only display Audit log and Lost and found log, provided the ibm-supportedCapability OIDs 1.3.18.0.2.32.80 and 1.3.18.0.2.32.52 for Audit log and Lost and found log respectively are displayed on root DSE search.

   • When the Web admin tool is used to access the admin daemon:

     • The status bar on the View logs panel displays a message indicating that the tool is connected to the admin daemon. If you access panels that are not supported by admin daemon, a message is displayed indicating that the functions on the panels are not supported.

     • The View logs panel is enabled based on the capabilities present in rootDSE for ibm-supportedcapabilities attribute.

     • The Clear button on the View logs panel is disabled as the admin daemon does not support clear log request.

2. Select the log you want to view from the Select log drop-down menu; for example, Lost and Found log

3. We can:

   • Use the navigation arrows at the bottom of the panel allow you to go to the Next page or to the Previous page.

   • Select a specific page from the edit menu, for example Page 6 of 16, and click Go to display that page of the error log.

   • Click Refresh to update the entries in the log.

   • Click Clear log to delete all entries in the log.
     Note:

     Admin Group members cannot clear the Audit logs.

4. Click Close to return to the IBM Tivoli Directory Server Web Administration Introduction panel.

 

View logs using the command line

Use the following procedures to view logs using the command line.

 

Viewing the Admin daemon error log

To view the administration daemon error log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/idsdiradm.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the Web Administration error log from a system with the IBM Tivoli Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log  idsdiradm  -lines all

Do the following to clear the Web Administration error log:

ldapexop -D <adminDN> -w <adminPW> -op clearlog -log  idsdiradm

 

Viewing the Admin daemon audit log settings

To view the administration daemon audit log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/adminaudit.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\adminaudit.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the administration daemon log from a system with the IBM Tivoli Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log  adminAudit  -lines all

Do the following to clear the administration daemon log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log  adminAudit

 

Viewing the audit log

To view the audit log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/audit.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\audit.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the audit log from a system with the IBM Tivoli Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log audit -lines all

Do the following to clear the audit log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log audit

 

Viewing the Bulkload log

To view the bulkload log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/bulkload.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\bulkload.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the bulkload error log from a system with the IBM Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log bulkload -lines all

Do the following to clear the bulkload error log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log bulkload

 

Viewing the Configuration tools log

To view the Configuration tools log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/idstools.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\idstools.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the Configuration tools log from a system with the IBM Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log config -lines all

Do the following to clear the Configuration tools log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log config

 

Viewing the DB2 log

To view the DB2 log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/db2cli.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\db2cli.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the DB2 error log from a system with the IBM Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log  cli  -lines all

Do the following to clear the DB2 error log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log  cli

 

Viewing the Lost and found error log

To view the Lost and Found log in the default location, issue the following command:

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs
	/LostAndFound.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\LostAndFound.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the Lost and found error log from a system with the IBM Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log LostAndFound -lines all

Do the following to clear the Lost and found error log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log LostAndFound

 

Viewing the Server error log

To view the Configuration tools log in the default location, issue the following command

On a UNIX operating system:

more <instance base directory>/idsslapd-<instance name>/logs/ibmslapd.log 

Where:

• instance base directory is the home directory of the directory server instance owner, or the directory you specified when you created the directory server instance.

• instance name is the name of the directory server instance.

On a Windows operating system:

more <drive>\idsslapd-<instance name>\logs\ibmslapd.log

Where drive is the drive you specified when you created a directory server instance, and instance name is the name of the directory server instance.

Do the following to view the error log from a system with the IBM Directory Server client:

idsldapexop -D <adminDN> -w <adminPW> -op readlog -log  slapd  -lines all

Do the following to clear the error log:

idsldapexop -D <adminDN> -w <adminPW> -op clearlog -log  slapd

 

Log integration into CBE and CARS format

In an effort to create self-managing environment, IBM has taken initiative in introducing "Autonomic Computing". Autonomic computing is an open standard based architecture that allows systems to configure, heal, optimize, and protect itself. In order to determine the conditions of the different components of the system, it is necessary to standardize the format of the event data so that the system can resolve its current conditions.

To standardize the format of data for the problem determination architecture IBM introduced a common format for log and trace information called the Common Base Event (CBE) format. This format creates consistency across similar fields and improves the availability to correlate across multiple logs. CBE is based on a 3-tupple structured format, which includes:

• Component impacted by a situation, or the source

• Component observing a situation

• Situation data, the properties describing the situation including correlation information

The 3-tupple format makes it possible to write and deploy resource-independent management functions that can isolate a failing component.

In an effort to align IBM Tivoli Directory Server to autonomic computing space, it is a must to have the logs such as error log, audit log, and so on, produced by the Tivoli Directory Server product to provide these logs in CBE format.

IBM Common Auditing and Reporting Service (CARS) component leverages CBE, which is a common format for events proposed by IBM, and IBM Common Event Infrastructure (CEI) technologies to provide an audit infrastructure. The purpose of CBE is to facilitate effective intercommunication among disparate components within an enterprise. In order to effectively process audit data, the CARS component requires the audit data to be in the CBE format. CEI is an IBM strategic event infrastructure for submission, persistent storage, query, and subscription of the CBE events. The CARS component uses the CEI interfaces for submission of events. These events can be denoted as auditable by using configuration options at the CEI Server that stores them in a CEI XML Event store that meets the auditing requirements.

The CARS component allows staging of data from the CEI XML Event store into report tables. IBM products and customers can provide audit reports based on auditable events staged into report tables. The CARS component also supports managing the lifecycle of auditable events, which includes archive, restore, and audit reports on restored archives.

 

Log management tool for CBE, CEI, and CARS features

To start the execution of the CBE, CEI, and CARS features for a Tivoli Directory Server instance, we need to run the Tivoli Directory Server log management tool, idslogmgmt, as an owner of that instance.

Note:

Only one instance of idslogmgmt can be run on a Tivoli Directory Server instance, and only one instance of idslogmgmt that manages the admin tools log can be run.

To implement the CBE, CEI, and CARS features, we need to launch IBM Tivoli Directory Integrator server and the assembly lines using the idslogmgmt wrapper. The log management assembly lines will initially read and process the parameters passed by the wrapper script. Next, the log management assembly lines read the Tivoli Directory Server instance repository file and determine the version of log management tool associated with the servers installed. For the list of servers, the ibmslapd.conf file is read and the log management settings are retrieved. The tool checks for the setting updates in the Tivoli Directory Server instances' configuration files in regular intervals. The default interval is 5 minutes. If IDSLMG_CHECK_INTERVAL variable is set, then the value set in this variable takes precedence. See IBM Tivoli Directory Server Version 6.1 Installation and Configuration Guide to know more about CARS installation and configuration.

After the log management configuration settings are read from the ibmslapd.conf file, the tool finds the location of logs and performs the appropriate log management activities. The activities can include managing of log disk space usage or converting proprietary format log data into CBE format and sending that data to a file or a CEI server.

When the idslogmgmt tool is run, a pid file, idslogmgmt.pid, containing the process ID will be created and updated in the <instance home>\tmp directory. This pid file help in determining which idslogmgmt is running or stopped for a Tivoli Directory Server instance when the status action is specified by the log management extend operation. This only applies to instance specific idslogmgmt execution and not in the execution in which admin tools parameters are specified. See the "Appendix B. Common Base Event (CBE) features" section in IBM Tivoli Directory Server Version 6.1 Problem Determination Guide to know more about special case scenarios related to CBE.

 

Entries for log management

The log management attributes associated with the CBE, CEI, and CARS feature are placed under the following entries depending on the attributes.

cn=default, cn=Log Management, cn=configuration

This applies to all log management entries unless they are overwritten by specifying the settings explicitly in the individual log entries.

cn=<specific_log_name>, cn=Log Management, cn=configuration

This applies only to the log specified by the entry. The default settings for this log can be overwritten by specifying the settings in this entry. The values for <specific_log_name> are: ibmslapd, audit, tools, bulkload, admin, admin audit, db2cli, replication, and ddsetup.

See the "Appendix K. Configuration schema object classes and attributes for IBM Tivoli Directory Server version 6.0 and above" section to know more about associated object classes and attributes.

 

CARS Reports

The CARS report generates the required CBE properties. The Tivoli Directory Serve log entries that are mapped to CBE properties are basically categorized into the Base Properties and Security Extension Properties. The Base Properties tables list the properties that are part of the CBE v1.0.1 specification. The Security Extension Properties tables list the properties that are part of the CBE extension for Security Events v0.21 specification. The properties are expressed in XPath statement, which describes where the property is found within a CBE.

 

A sample CBE formatted output

A sample CBE formatted output for an audit record would be as given below:

AuditV3--2005-11-14-18:27:37.444-06:00--V3 Bind--bindDN: 
         cn=root--client: 127.0.0.1:1193--connectionID: 
         1--received: 2005-11-14-18:27:37.444-06:00--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=root
authenticationChoice: simple
Admin Acct Status: Not Locked

<?xml version="1.0" encoding="UTF-8"?>
<CommonBaseEvent creationTime="2005-11-14T12:27:37"          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"          xsi:noNamespaceSchemaLocation="commonbaseevent1_0.xsd"          globalInstanceId="i0000000000000000000000000000000"          sequenceNumber="0000000000000000000000000000001"          extensionName= "SECURITY_AUDIT_AUTHN">
   <sourceComponentId component="Official Product Name"          subcomponent="audit"          componentIdType="ProductName"          componentType="http://www.ibm.com/namespace/autonomic/Tivoli_componentTypes"          location="127.0.0.1:389"          locationType="IPV6"          instanceId="ldapdev"/>
   <situation categoryName="ConnectSituation">
         <situationType reasoningScope="EXTERNAL"                         successDisposition="SUCCESSFUL"                         situationDisposition="AVAILABLE"/>
   </situation>
   <extendedDataElements name="action">
         <values>authentication</values>
   </extendedDataElements>
   <extendedDataElements name="authnType">
         <values>ldap_3.0</values>
   </extendedDataElements>
   <extendedDataElements name="outcome">
         <result>SUCCESSFUL</result>
   </extendedDataElements>
   <extendedDataElements name="outcome">
         <failureReason>authenticationFailure</failureReason>
   </extendedDataElements>
   <extendedDataElements name="resourceInfo">
         <children name="type">
           <values>application</values>
         </children>
         <children name="nameInPolicy">
           <values>ldap</values>
         </children>
         <children name="nameInApp">
           <values>ldap</values>
         </children>
   </extendedDataElements>
   <extendedDataElements name="userInfo">
         <children name="appUserName">
           <values>cn=root</values>
         </children>
         <children name="proxyUserName">
           <values>NOT AVAILABLE</values>
         </children>
         <children name="registryUserName">
           <values>NOT AVAILABLE</values>
         </children>
         <children name="sessionID">
           <values>1</values>
         </children>
         <children name="location">
           <values>127.0.0.1:1193</values>
         </children>
         <children name="locationType">
           <values>IPV6</values>
         </children>
   </extendedDataElements>
</CommonBaseEvent>

 

Configuring log management attributes for CBE and CARS

 

Using Web Administration

Here, an example of the Admin daemon log is considered. Depending on the log that you select, there might be some change in the controls displayed on the panel.

If you have not done so already, do the following:

1. Click Server administration in the Web Administration navigation area and then click Logs in the expanded list.

2. Click Modify log settings.

3. From the list of logs, select Admin daemon log.

To modify the Admin daemon log:

1. Enter the path and file name for the administration daemon log.

2. Under Log size threshold (MB), select one of the following:

   • Select the radio button with the edit field next to it and enter the maximum log size in Megabytes.

   • If you want to use the default limit, select the radio button next to the drop-down menu. Select Default from the drop-down menu.

   • If you do not want to set a limit to the log size, select the radio button next to the drop-down menu. Select Unlimited from the drop-down menu.

3. Under Maximum log archives, select one of the following:

   • Select the radio button with the edit field next to it and enter the maximum number of archives you want to save. One archived log is an earlier log that reached its size threshold.

   • If you want to use the default maximum log archives value, select the radio button next to the drop-down menu. Select Default from the drop-down menu.

   • If you do not want to archive logs, select the radio button next to the drop-down menu. Select No archives from the drop-down menu.

   • If you do not want to limit the number of archived logs, select the radio button next to the drop-down menu. Select Unlimited from the drop-down menu.

4. Under Log archive path, select one of the following:

   • If you want to specify the path where archives are kept, select the radio button with an edit window next to it and enter the desired path.

   • If you want to keep the archives in the directory where the log file is located, select the Default path radio button.

5. Specify the frequency of between two cycles of the CBE feature by selecting an item from the Select frequency check box.

6. Specify the start date and start time for the CBE feature in the Starting on fields. We can also click the calendar icon to specify the start date. The start time should be in the following format: 12:30:00 PM.

7. After you have finished, do one of the following:

   • Click Next to continue with the configuring of log settings.

   • Click Finish to save the changes and return to the Modify log settings panel.

   • Click Cancel to discard changes made on this panel and to navigate to the Modify log settings panel.

To configure log settings for event-formatted log file, do the following:

• Select the Send log records to event-formatted log file check box to enable CBE formatted log file for the user.

• Specify the path name to store the CBE formatted log file in the File path field.

• Specify the file name in the File name prefix field for the CBE formatted log.

• Specify the threshold size for the CBE formatted log file in MB under Log size threshold (MB). If you want to specify a size limit in MB, select the option and specify a numeric value in the field. Otherwise, select Unlimited.

• Specify the maximum number of logs to be archived for the CBE formatted log. If you want to specify the maximum number of logs to be archived, select the option and specify a numeric value in the field. To set it to unlimited, select Unlimited.

• Specify the path name where CBE formatted log should be archived. If you want to specify a path name, select the option and enter the absolute path name for logs to be archived. To specify the archive path same as that of log file, select Same directory as of log file.

• Specify the log level for the CBE formatted log. The available log levels are High, Medium, and Low.

• After you have finished, do one of the following:

  • Click Back to go to the previous panel.

  • Click Next to continue with the configuring of log settings.

  • Click Finish to save the changes and return to Modify log settings panel.

  • Click Cancel to discard changes made on this panel and to navigate to the Modify log settings panel.

Note:

• If no value is entered in Log archive path, the default value will be assigned.

• If 0 is set in fields that require numerical value, it is considered as "Unlimited" except for "Maximum log archives", where 0 is considered as "No archives".

To configure Common Audit and Reporting Service:

• Select the Send log records to common audit and reporting service check box to enable the CBE feature to read the TDS proprietary formatted logs and to convert them to CBE format and to write them to CEI server.

• In the Host field, enter the host name of the CEI server.

• In the Port field, enter the port number on which the CEI server listens on.

• Specify the log level for the CBE formatted log. The available log levels are High, Medium, and Low.

• After you have finished, do one of the following:

  • Click Back to go to the previous panel.

  • Click Finish to save the changes and return to Modify log settings panel.

  • Click Cancel to discard changes made on this panel and to navigate to the Modify log settings panel.

To start or stop log management using the Web administration tool

If you have not done so already, click Logs under Server administration in the Web Administration navigation area and click Start/Stop log management in the expanded list.

Using this panel, the root administrator and local administrative group members with AuditAdmin or ServerConfigGroupMember role can start and stop the log management service.

To start or stop the log management service:

• Do one of the following:

  • If the log management service is running, click Stop to stop the service.

  • If the log management service is stopped, click Start to start the service.

• Click Close to return to the "Introduction" panel.

 

Using the command line

To set the attribute values for the CBE and CARS feature:

#idsldapmodify -h <host_name> -p <portnumber>  -D <cn=RDN_value> -w <password> -f <file_name> 

where contents of <file_name> is as follows:

dn: cn=<specific_log_name>,cn=Log Management, cn=configuration 
ibm-slapdLogEventFileEnabled: true 
- 
add:ibm-slapdLogCARSEnabled 
ibm-slapdLogCARSEnabled: false 
- 
add: ibm-slapdLogEventFormat 
ibm-slapdLogEventFormat: CBE 
- 
add: ibm-slapdLogMgmtStartTime 
ibm-slapdLogMgmtStartTime: 200609010000 
- 
add: ibm-slapdLogMgmtFrequency 
ibm-slapdLogMgmtFrequency: 20 
- 
add:ibm-slapdLogEventFileSizeThreshold 
ibm-slapdLogEventFileSizeThreshold: 2 
- 
add:ibm-slapdLogEventFileMaxArchives 
ibm-slapdLogEventFileMaxArchives: 2 
- 
add:ibm-slapdLogEventFileArchivePath 
ibm-slapdLogEventFileArchivePath: <path_name>/TempDir 
- 
add: ibm-slapdLogEventFileOptions 
ibm-slapdLogEventFileOptions: <h|m|l>
- 
add: ibm-slapdLogEventFilePath 
ibm-slapdLogEventFilePath: /home/inst1/idsslapd-<instance_name>/logs 
- 
add:ibm-slapdLogEventFilePrefix 
ibm-slapdLogEventFilePrefix: <log_name> 
- 
add: ibm-slapdLogSizeThreshold 
ibm-slapdLogSizeThreshold: 1 
- 
add: ibm-slapdLogMaxArchives 
ibm-slapdLogMaxArchives: 1 
- 
add: ibm-slapdLogArchivePath 
ibm-slapdLogArchivePath: <path_name>/TempDir1

To start an instance:

# ibmslapd -I <instance_name> -n 

To start the log management tool for an instance:

# idslogmgmt -I <instance_name>

To start, get status, and stop log management:

#ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <port_number> startlogmgmt

#ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <port_number> statuslogmgmt

#ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <port_number> stoplogmgmt

[ Top of Page | Previous Page | Next Page | Contents | Index ]