[Freeipa-users] Where do I change the nsslapd-accesslog-level?
I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
Jason Becker wrote: I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? 256 is the default. I found this documented in a slightly older release at https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-cnconfig-nsslapd_accesslog_level I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Yes. And I guess ironically you can configure the timeout but without being able to display the page this can be hard using our tools, which enforce that timeout. This data lives at cn=ipaConfig,cn=etc,dc=example,dc=com . You can use ldapmodify to change this if the IPA tools keep timing out while trying. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - On Tue, May 13, 2014 at 1:28 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. Does it require a dirsrv restart? No, but . . . Please advise. Thanks! This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
On Tue, May 13, 2014 at 2:26 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - On Tue, May 13, 2014 at 1:28 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Sorry, you've confused me. Are you saying that nsslapd-accesslog-level: 4 is just as verbose as nsslapd-accesslog-level: 256? Or that there is literally no way to change the level despite the fact that there are levels? Cheers Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. Does it require a dirsrv restart? No, but . . . Please advise. Thanks! This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - On Tue, May 13, 2014 at 2:26 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - On Tue, May 13, 2014 at 1:28 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Sorry, you've confused me. Are you saying that nsslapd-accesslog-level: 4 is just as verbose as nsslapd-accesslog-level: 256? Yes. Or that there is literally no way to change the level despite the fact that there are levels? Yes, you can change the level. You can make it much more verbose than it is already. I don't think this is what you want. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level So you could, for example, change the level to 4, and log internal operations. 1) That may be much more verbose than the default of 256 2) That may not be particularly useful to you. If the purpose of changing the access logging level is to reduce the I/O, then no, there is no level which will reduce the verbosity but still give you some sort of useful data in the access log. If you want to reduce the verbosity, but still have some sort of useful information, then you'll have to use the named pipe log script to filter out only those events which are useful to you. Cheers Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. Does it require a dirsrv restart? No, but . . . Please advise. Thanks! This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
On Tue, May 13, 2014 at 3:35 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - On Tue, May 13, 2014 at 2:26 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - On Tue, May 13, 2014 at 1:28 PM, Richard Megginson rmegg...@redhat.comwrote: - Original Message - I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Sorry, you've confused me. Are you saying that nsslapd-accesslog-level: 4 is just as verbose as nsslapd-accesslog-level: 256? Yes. Or that there is literally no way to change the level despite the fact that there are levels? Yes, you can change the level. You can make it much more verbose than it is already. I don't think this is what you want. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level So you could, for example, change the level to 4, and log internal operations. 1) That may be much more verbose than the default of 256 2) That may not be particularly useful to you. If the purpose of changing the access logging level is to reduce the I/O, then no, there is no level which will reduce the verbosity but still give you some sort of useful data in the access log. If you want to reduce the verbosity, but still have some sort of useful information, then you'll have to use the named pipe log script to filter out only those events which are useful to you. Thanks for the clarification. I was working on the assumption that indeed nsslapd-accesslog-level: 4 would be less verbose but still provide some sort of useful data in the access log. Cheers Cheers Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. Does it require a dirsrv restart? No, but . . . Please advise. Thanks! This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users