Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 22 Introduction to Logs

Netscape Certificate Management System (CMS) creates log files that record events related to its activities, such as administration, communications using any of the protocols the server supports, and various other processes employed by all the subsystems the server manages.

This chapter identifies various logs maintained by Certificate Management System and describes them in detail. The chapter has the following sections:
Logs Maintained by Certificate Management System
While Certificate Management System is running, it keeps a log of information and error messages on all the components it manages. These messages are broadly categorized into three separate logs and are maintained in three separate log files, as listed in Table 22.1.

During installation, Certificate Management System automatically creates the required log files in your local file system. The server creates common system, error, and audit files for all components that were installed together, and it logs messages to these files. For example, if you installed a Certificate Manager and a Data Recovery Manager together, you will find log messages for both the subsystems in the same log file.

Table 22.1 Types of logs maintained by Certificate Management System

Log type
Description
System
This log records information about requests to the server (all HTTP and HTTPS requests) and the responses from the server. Information recorded in this log includes the IP address of the client machine that accessed the server, operations performed (for example, search, add, edit), and the result of the access (for example, the number of entries returned). This log is on by default.

For more information, see "Monitoring System Logs".

Error
This log contains the error messages the server has encountered (HTTP errors and errors with the certificate service). This log is on by default.

For more information, see "Monitoring Error Logs".

Audit
This log records messages specific to the certificate service--messages such as certificate requests, certificate renewal and revocation requests, and CRL publication--and enables you to detect any unauthorized access or activity. This log is on by default.

For more information, see "Monitoring Audit Logs".


Services That Are Logged
All major components and protocols (or services) of Certificate Management System log messages to log files. Table 22.2 lists services that are logged by default. If you want to view messages logged by a specific service, you can customize log settings accordingly. For details, see "Monitoring Logs".

Table 22.2 Services logged by Certificate Management System

Service
Description
All
Specifies logged events related to all the services.

Registration Authority
Specifies logged events related to the Registration Manager.

Certificate Authority
Specifies logged events related to the Certificate Manager.

Key Recovery Authority
Specifies logged events related to the Data Recovery Manager.

HTTP
Specifies logged events related to the HTTP activity of the server.

Database
Specifies logged events related to this server's activity with the internal database.

Authentication
Specifies logged events related to this server's activity with the authentication module.

Administration
Specifies logged events related to this server's administration activities--that is, HTTPS communication between the CMS window and Certificate Management System.

LDAP
Specifies logged events related to this server's activity with the LDAP directory (used for publishing certificates and CRLs).

Request Queue
Specifies logged events related to the request queue activity of this server.

ACLs
Specifies logged events related to access control lists.

User and Group
Specifies logged events related to users and groups managed by this server.

Others
Specifies logged events related to other activities of this server, such as command-line utilities and other processes.


Log Levels (Message Categories)
For identification and filtering purposes, events logged by all CMS-supported services are classified into various categories. These are listed in Table 22.3. Each category represents messages that are of the same or a similar nature or that belong to a specific functional area. A particular log, for example the error log, can record entries that fall under one or more of these categories.

In the CMS configuration, each message category corresponds to a specific log level. Log levels are represented by numbers (digits) 1 to 6, each digit indicating the level of logging to be performed by the server--that is, how detailed the logging should be.

Table 22.3 Classification of log entries or messages

Log level
Message category
Description
0
Debugging
These messages contain debugging information.

1
Informational
These messages provide general information about the state of Certificate Management System. For example, status messages such as "Certificate Management System initialization complete" and "Request for operation succeeded" fall into this category.

2
Warning
These messages are warnings only and do not indicate any failure in the normal operation of the server.

3

Failure
(default)
These messages indicate errors and failures that prevent the server from operating normally.

Examples of messages that fall into this category include failures to perform a certificate service operation ("User authentication failed" or "Certificate revoked") and unexpected situations that can cause irrevocable errors ("The server cannot send back the request it processed for a client through the same channel the request came from the client").

4
Misconfiguration
These messages indicate that a misconfiguration in the server is causing an error.

5
Catastrophic failure
These messages indicate that because of an error, the service cannot continue running.

6
Security-related events
These messages identify occurrences that affect the security of the server (for example, "Privileged access attempted by user with revoked or unlisted certificate").

You can use log levels to filter log entries based on the severity of an event. By default, a level 3 (Failure) is set for all services.

 Important The log level is additive--that is, specifying a value of 3 causes levels 4, 5, and 6 to be logged. Log data can be voluminous, especially at lower (more verbose) logging levels. Make sure that the host machine has sufficient disk space for all the log files. It is also important to define your logging level, log rotation, log expiration, and server-backup policies appropriately so that all the log files are backed up and the host system doesn't get overloaded; otherwise, you may lose information.


Log File Locations
For quick access, all the log files--system, error, and audit--are maintained in your local file system. Make sure that your storage capacity is sufficient for all your log files. A log file has the following default location:

 <server_root>/cert-<instance_id>/logs/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this during installation.

You can change the default location for logs by modifying it in the configuration. For details, see "Log Parameters in the Configuration File".


Log File Naming Conventions
All log files created by Certificate Management System use one or the other of two naming conventions. There is one naming convention for active log files and one for rotated log files.

 Active Log File Naming Convention

All active log files created by Certificate Management System use an identical naming convention. The name of an active log file is in the form <log_type>.log, where <log_type> specifies the log file type--whether it is system, error, or audit.

For example, an active error log file would be named error.log.

Rotated Log File Naming Convention

All rotated log files created by Certificate Management System use an identical naming convention. When Certificate Management System rotates an active log file, it renames the current log file and then creates a new log file with the original name. The rotated log file is saved with the original file type and an appended timestamp.

The name of a rotated log file is in the form <log_type>.timestamp, where the components of the filename indicate the following:

 For example, an error log file rotated on July 28, 1998 at 12:36:24 would be named error.19980728123624.

 Note The timestamp is expressed in standard Unix time: the number of seconds since midnight January 1, 1970.


Buffered Versus Unbuffered Logging
Certificate Management System supports buffered logging for all three types of logs--system, error, and audit. You can choose to configure the server for either buffered or unbuffered logging (see "Configuring Logs").

If you configure Certificate Management System for buffered logging, the server creates buffers for the corresponding logs, and it holds the messages in these buffers for as long as possible. The server flushes out the messages to the log files--which are maintained in your local file system--only when either of the following conditions occurs:

 If you configure the server for unbuffered logging, the server flushes out messages as they are generated to the log files. Because the server performs an I/O operation (writing to the log file) each time a message is generated, configuring the server for unbuffered logging decreases performance.
Rotation of Log Files
Certificate Management System supports automatic rotation of log files, which simplifies administration and facilitates backups. You are not required to manually retire the current log file and create a new one to hold subsequent logged events. You can back up all but the current log file in a directory at any time, without stopping the server or manually notifying the server to start a new log file. The parameters that control log rotation are specified in the configuration. To change the log file rotation parameters, see "Configuring Logs".

You should periodically archive or back up the rotated log files. For details, see "Archiving of Rotated Log Files".

Timing of Log File Rotation

Log files are rotated when either of the following conditions occur:

Location of Rotated Log Files

Rotated log files are stored at the same location where the current or active log files are maintained. To find out where the active log files are located, see "Log File Locations".


Deletion of Log Files
Certificate Management System supports automatic deletion of rotated (or old) log files. The parameters that control log deletion are specified in the configuration file.

 How to Conserve Disk Space

By default, Certificate Management System does not delete rotated log files automatically. Because the rotated log files are also saved in your local file system, these files eventually take up a considerable amount of disk space. You can avoid this problem by doing one of the following:

In either case, if you want to keep specific log files for future use, be sure to archive or back them up before they are deleted. For details, see "Archiving of Rotated Log Files".

Timing of Log File Deletion

If you configure Certificate Management System to delete rotated log files automatically, the server deletes these files when the life of the corresponding log file is equal to or older than the interval specified by the expirationTime configuration parameter. The default value for this parameter is 2592000 seconds (or every hour); see "Log Parameters in the Configuration File".


Archiving of Rotated Log Files
Log files, especially the audit log file, contain critical information. So it is good practice to periodically archive rotated log files to some archive media. Consider doing this whether you are manually deleting rotated log files or have configured the server to delete files automatically. You can archive log files by copying the entire log directory to your archive media.

 Certificate Management System does not provide any tool or utility for archiving log files. Use the tools or utilities that your operating system provides for archiving.

 Certificate Management System does, however, provide a command-line utility, called signtool, that allows you to sign log files before archiving them. This gives you a means of tamper detection. For details, see "Signing Log Files".
 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.