Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 23 Managing Logs

Each instance of Netscape Certificate Management System (CMS) maintains its own system, error, and audit log files. These files record events related to various CMS activities. By configuring logs, you can customize the contents in the log files.

This chapter explains how to use the CMS window to configure the system, error, and audit logs maintained by Certificate Management System, and how to monitor its activities by viewing log contents.

 Before you attempt to configure or monitor logs, it's a good idea to read "Introduction to Logs".

The chapter has the following sections:
Management of Logs
You can manage CMS logs in two ways:

 The recommended method is to use the CMS window. However, for configuration parameters that are not shown in the CMS window, you may have to edit the configuration file.

 Log Management from the CMS Window

The CMS window supports the configuration and monitoring of various CMS logs. In this window, you will find the Logs object in two places--in the navigation tree of the Configuration tab and in the navigation tree of the Status tab (see Figure 23.1).

Figure 23.1 Managing logs from the CMS window

The Logs object in the Configuration tab shows the current configuration of system, error, and audit logs and allows you to change it. For instructions on changing log configurations, see "Configuring Logs".

The Logs object in the Status tab shows messages logged by the server. For instructions on viewing logs, see "Monitoring Logs".

Log Parameters in the Configuration File

The sample in Figure 23.2 illustrates how information specific to logs appears in the configuration file, CMS.cfg. If you intend to change the configuration by editing the configuration file, be sure to follow the instructions provided in "Changing the Configuration by Editing the Configuration File".

Figure 23.2 Information specific to logs in the CMS configuration


Configuring Logs
This section describes the procedures for configuring each type of CMS log:

 Configuring System Logs

To configure the system log for a CMS instance:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. In the navigation tree, click Logs.

    3. The System tab appears in the right pane. It shows the current configuration for the system log.

  3. If you want the server to log system-level messages, check the "Enable logging" box. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
    4.

  4. In the "Log options" section, specify information as appropriate:

    5. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active system log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default rotation interval is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the system log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the system log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. For more information, see "Log Levels (Message Categories)".

  5. To save your changes, click Save.

    6. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Configuring Error Logs

To configure the error log for a CMS instance:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. In the navigation tree, click Logs, and then in the right pane, click Error.

    3. The Error tab appears, showing the current configuration of the error log.

  3. If you want the server to log error messages, check the "Enable logging" box. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
    4.

  4. In the "Log options" section, specify information as appropriate:

    5. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active error log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the error log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the error log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. For more information, see "Log Levels (Message Categories)".

  5. To save your changes, click Save.

    6. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Configuring Audit Logs

To configure the audit log for a CMS instance:

  1. Access the CMS window (see "Accessing the CMS Window").

  2. In the navigation tree, click Logs, and then in the right pane, click Audit.

    3. The Audit tab appears, showing the current configuration for the audit log.

  3. If you want the server to log system-level messages, check the "Enable logging" box. All the associated fields become available for you to enter information. Leave the box unchecked if you do not want the server to log messages of this type.
    4.

  4. In the "Log options" section, specify information as appropriate:

    5. Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active audit log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly. For more information, see "Rotation of Log Files".

    Maximum size. Type the file size in kilobytes (KB) for the audit log. The default file size is 100 KB. For more information, see "Rotation of Log Files".

    Buffer size. Type the buffer size in kilobytes (KB) for the audit log. The default size for the buffer is 512 KB. For more information, see "Buffered Versus Unbuffered Logging".

    Log level. From the drop-down list, select a log level. The choices are Debug, Info, Warning, Failure, Misconfiguration, Catastrophe, and Security. For more information, see "Log Levels (Message Categories)".

  5. If you need to make any other configuration changes, go to the appropriate options and modify them.

  6. To save your changes, click Save.

    7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Monitoring Logs
When you have problems with Certificate Management System that require troubleshooting, you may find it helpful to check the error or informational messages that the server has logged. Also, by examining the log files you can monitor many aspects of the server's operation.

 To facilitate this, the CMS window provides a simple mechanism for viewing the contents of both currently active and rotated audit, system, and error log files. The contents of the log file you choose to view are displayed in the form of a table. Each row is allocated to a specific log entry, with columns containing information such as the date and time the message was logged, the severity of the message, and a general description of the log. Once you open a log file for viewing, you can also do the following tasks:

 This section covers the following topics on monitoring Certificate Management System by viewing log contents:

 Monitoring System Logs

Certificate Management System maintains extensive system logs. These logs record various events and system errors for system monitoring and debugging. A system log records details such as the following:

You can view the contents of currently active as well as rotated system log files from the CMS window (see Figure 23.3).

If you have installed Certificate Management System on a Windows NT system, you can configure the server to log messages to Windows NT event log. For details, see "Logging to Windows NT Event Log""Logging to Windows NT Event Log" on page 594.

Figure 23.3 A sample active system log displayed in the CMS window

To view the contents of an active or rotated system log file:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Status tab.

  3. In the navigation tree, under Logs, click System.

  4. In the Display Options section, specify your viewing preferences:

    5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) regardless of the number found.

    Source. Select the CMS component (or service) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the log level for filtering messages. For more information on log levels, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active system log file. For more information, see "Log File Naming Conventions".

  5. Click Refresh.

    6. The table displays the system log entries. The entries are in reverse chronological order, with the most current entry placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates the CMS component or resource that logged the message.

    Level. Indicates the severity of the corresponding entry (explained Table 22.3).

    Date. Indicates the date on which the entry was logged.

    Time. Indicates the time at which the entry was logged.

    Details. Provides a brief description of the log.

  6. To view an entry in its entirety, either double-click it or select the entry and click View.

Monitoring Error Logs

The error log file contains errors the server has encountered since the log file was created; it also contains informational messages about the server, such as when the server was started. Incorrect user authentication is also recorded in the error log. Use the error log to find broken URL paths or missing files.

You can view the contents of currently active as well as rotated error log files from the CMS window (see Figure 23.4).

Figure 23.4 A sample active error log displayed in the CMS window

To view the contents of an active or rotated error log file:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Status tab.

  3. In the navigation tree, under Logs, click Error.

  4. In the Display Options section, specify your viewing preferences:

    5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) to the client regardless of the number found.

    Source. Select the CMS component (or services) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the level of logging to filter messages. For more information, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active error log file. For more information, see "Log File Naming Conventions".

  5. Click Refresh.

    6. The table displays the error log entries. The entries are in reverse chronological order, with the most current log placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates CMS component or resource that logged the message.

    Level. Indicates the severity of the corresponding entry (explained in Table 22.3).

    Date. Indicates the date on which the entry was logged.

    Time. Indicates the time at which the entry was logged.

    Details. Provides a brief description of the log.

  6. To view an entry in its entirety, either double-click it or select the entry and click View.

Monitoring Audit Logs

Certificate Management System maintains audit trails for all events--certificate requests, certificate renewal and revocation requests, CRL publication, and so on. These trails enable you to detect any unauthorized access or activity. The audit trails are logged and maintained in a file in your local file system.

If you have installed Certificate Management System on a Windows NT system, you can also configure the server to log audit messages to Windows NT event log. For details, see "Logging to Windows NT Event Log".

Important You should periodically examine and audit the CMS audit log for unusual activity. When examining the log, note in particular the log entries that fall under the Security-Related Events category (these are labeled Security).

You can view the contents of currently active as well as rotated audit log files from the CMS window (see Figure 23.5).

Figure 23.5 A sample active audit log displayed in the CMS window

To view the contents of an active or rotated audit log file:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Status tab.

  3. In the navigation tree, under Logs, click Audit.

  4. In the Display Options section, specify your viewing preferences:

    5. Entries. Type the maximum number of entries to be displayed. When this limit is reached, Certificate Management System returns any entries it has located that match the search request. If you enter zero (0), no messages are returned. If you leave the field blank, the server returns every matching entry (no limit) regardless of the number it finds.

    Source. Select the CMS component (or resource) for which log messages are to be displayed. Depending on the components that write to this log file, the drop-down list shows one or more of the following: All, Registration Authority, Certificate Authority, Key Recovery Authority, HTTP, Internal Database, Authentication, Administration, LDAP, Request Queue, ACLs, User and Group, and Others. If you choose All, messages logged by all components that log to this file are displayed. For more information, see "Services That Are Logged".

    Level. Select a message category that represents the level of logging to filter messages. For more information, see "Log Levels (Message Categories)".

    Filename. Select the log file you want to view. Choose Current to view the currently active audit log file. For more information, see "Log File Naming Conventions".

  5. Click Refresh.

    6. The table displays the audit log entries. The entries are in reverse chronological order, with the most current log placed at the top. Use the scroll arrows on the right edge of the panel to scroll through the log entries.

    For each entry you see the following details:

    Source. Indicates the CMS component or resource that wrote to the log file.

    Level. Indicates the severity of the corresponding entry (explained in Table 22.3).

    Date. Indicates the date on which this entry was logged.

    Time. Indicates the time at which this entry was logged.

    Details. Provides a brief description of the log.

  6. To view an entry in its entirety, either double-click it or select the entry and then click View.

Using System Tools for Monitoring the Server (Windows NT Only)

If you have installed Certificate Management System on a Windows NT system, you can monitor the server with the system tools provided by Windows NT.

Logging to Windows NT Event Log

You can also configure Certificate Management System to write both audit and system logs to the event log of a Windows NT system. The server's configuration file includes parameters that enable you to turn this feature on or off and to specify the levels for logging. The parameters are listed in Table 23.1:

Table 23.1 Configuration parameters for logging to the Windows NT event log

Configuration parameter
Description
logNTAudit.NTEventSourceName
Specifies the CMS instance ID for which the audit messages are to be logged. For example, the instance ID could be
cert-test CA.

logNTAudit.level
Specifies the level for logging the audit messages. By default, it is set to 2. For information on log levels you can specify, see "Log Levels (Message Categories)".

logNTAudit.on
Specifies whether audit logging is enabled or disabled. To enable logging, enter true; to disable logging, enter false. By default, it is enabled.

logNTSystem.NTEventSourceName
Specifies the CMS instance ID for which the system messages are to be logged. For example, the instance ID could be
cert-test CA.

logNTSystem.level
Specifies the level for logging the system messages. By default, it is set to 2. For information on log levels you can specify, see "Log Levels (Message Categories)".

logNTSystem.on
Specifies whether system logging is enabled or disabled. To enable logging, enter true; to disable logging, enter false. By default, it is enabled.

Note that by default both the audit and system logs are enabled and the log levels for both is set to 2. You can change this by editing the configuration file (no UI is provided for this).

 To change the default configuration:
  1. Stop the CMS instance; see "Stopping Certificate Management System".

  2. Open the configuration file (CMS.cfg) in a text editor; to locate the file, see "Locating the Configuration File".

  3. Locate the configuration parameters pertaining to Windows NT logging, and change the parameter values as appropriate. The sample configuration below shows the audit log turned on with a logging level of 1. The system log is turned off.

    4. logNTAudit.NTEventSourceName=cert-testCA

    logNTAudit.level=1

    logNTAudit.on=true

    logNTSystem.NTEventSourceName=cert-testCA

    logNTSystem.level=2

    logNTSystem.on=false

  4. Save your changes, and close the configuration file.
    5.

  5. Start the CMS instance; see "Starting Certificate Management System".

Using Event Viewer

In addition to logging messages to the log files maintained in your local file system, Certificate Management System can also log audit messages and system errors to the Windows NT Event log. To configure the server to log messages to Windows NT event log, see "Logging to Windows NT Event Log". If you configure the server to do so, you can use the system's tool called Event Viewer to monitor events related to your server.

More information about Event Viewer is available in your system documentation.

 To monitor Certificate Management System by using Event Viewer:
  1. In the Administrative Tools program group, double-click the Event Viewer icon.
    2.

  2. From the Log menu, select Application.

    3. The Application log appears in Event Viewer. In this log, the source of any messages from Netscape Certificate Management System is the server's instance ID (if you didn't change the default values assigned to the logNTAudit.NTEventSourceName and logNTSystem.NTEventSourceName parameters).

  3. From the View menu, choose Find to search for one of the Netscape labels in the log; use Refresh to see updated log entries.
    4.

  4. Double-click a log entry to see additional information.

    5. The mapping between the CMS log levels and the Windows NT event type is shown in Table 23.2.

Table 23.2 Mapping betwenn CMS log levels and Windows NT event log type

Windows NT log event type
CMS log level
Information
Debugging (0)
Information
Informational (1)
Warning
Warning (2)
Error
Failure (3)
Error
Misconfiguration (4)
Error
Catastrophic failure (5)
Error
Security-related events (6)


Signing Log Files
Certificate Management System allows you to digitally sign log files before you archive them or distribute them for audit purposes. This feature enables you to check whether the log files have been tampered with since being signed.

 For signing log files, you use a command-line utility called Netscape Signing Tool; for details about this utility, see Appendix F, "Netscape Signing Tool"; to locate the online version of the document, see "Where to Go for Related Information". The utility uses information in the certificate (cert7.db), key (key3.db), and security module (secmod.db) databases of Certificate Management System.

Before you begin signing the log files, follow these guidelines:

 When you are ready with all this information, follow the procedure below to sign the log directories:
  1. Go to the CMS instance in which the CA whose key pair you want to use for signing is installed.
    2.

  2. Copy the security module database (secmod.db file) from the Administration Server configuration directory to the CMS configuration directory.

    3. The security module database is at this location:

    <server_root>/admin-serv/config/...

    Copy it to this location:

    <server_root>/cert-<instance_id>/config/...

  3. Open a terminal window.
    4.

  4. At the command prompt, run the following command with the appropriate information:

    5. signtool -d <secdb_dir> -k <cert_nickname> -Z <output> <input>

    <secdb_dir> specifies the path to the directory that contains the certificate, key, and security module databases for the CA. This must be the same path you used to copy the security module database in step 2.

    <cert_nickname> specifies the nickname of the certificate you want the utility to use for signing.

    <output> specifies the name of the JAR file (a signed zip file).

    <input> specifies the path to the directory that contains the log files.

    For example, in a Windows NT system, your command might look like this:

    signtool -d c:\netscape\server4\cert-testCA\config -k testCAsigningcertificate -Z log_err_02_99.jar c:\archive\logs

    where

    c:\netscape\server4\cert-testCA\config is the path to the certificate, key, and security module databases (secdb_dir).

    testCAsigningcertificate is the certificate nickname (cert_nickname).

    log_err_02_99.jar is the name of the JAR file (output).

    (input) is c:\archive\logs is the directory to be signed.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.