Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
On Tue, May 13, 2014 at 3:35 PM, Richard Megginson wrote: > > > - Original Message - > > On Tue, May 13, 2014 at 2:26 PM, Richard Megginson > > wrote: > > > > > - Original Message - > > > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > > > wrote: > > > > > > > > > - Original Message - > > > > > > I am using FreeIPA 3.0.0 on RHEL 6 > (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > > > > > > > Why do you need to change the verbosity of access logging? Do you > mean > > > > > error logging? If so, see > http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > > > > > > > I do mean access logging. I want to change it because it's too > verbose > > > :-) > > > > . It's causing high load / iowait on the server. > > > > > > There isn't a way to change the access log level to make it less > verbose. > > > You can turn it off completely nsslapd-accesslog-enabled: off > > > > > > > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: > 4" > > is just as verbose as "nsslapd-accesslog-level: 256"? > > Yes. > > > Or that there is > > literally no way to change the level despite the fact that there are > levels? > > Yes, you can change the level. You can make it much more verbose than it > is already. I don't think this is what you want. > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level > > So you could, for example, change the level to 4, and log internal > operations. 1) That may be much more verbose than the default of 256 2) > That may not be particularly useful to you. > > If the purpose of changing the access logging level is to reduce the I/O, > then no, there is no level which will reduce the verbosity but still give > you some sort of useful data in the access log. > > If you want to reduce the verbosity, but still have some sort of useful > information, then you'll have to use the named pipe log script to filter > out only those events which are useful to you. > Thanks for the clarification. I was working on the assumption that indeed "nsslapd-accesslog-level: 4" would be less verbose but still provide some sort of useful data in the access log. Cheers > > > > > Cheers > > > > > > > > > Note that the access log is buffered, specifically to reduce the I/O > load. > > > If that buffered load is _still_ too high, then you might want to > > > investigate replacing the access log file with a named pipe, then > writing a > > > small bit of python code to filter out only the events you are > interested > > > in. See > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > > > > > > > Based on the link you sent if I crafted an ldif like: > > > > > > > > dn: cn=config > > > > changetype: modify > > > > replace: nsslapd-accesslog-level > > > > nsslapd-accesslog-level: 4 > > > > > > > > that would presumably get me what I want. > > > > > > I don't think so. The error log levels are completely different than > the > > > access log levels, in that there are no access log levels. > > > > > > > > > > > Does it require a dirsrv restart? > > > > > > No, but . . . > > > > > > > > > > > Please advise. > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > > > > > discusses turning on global debugging but doesn't help me. The > same > > > doc > > > > > links > > > > > > to: > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level > but > > > the > > > > > link > > > > > > on that page is a 404. > > > > > > > > > > > > So what do I need to do to change the level? I would assume that > > > setting > > > > > the > > > > > > level to 4 would be indicated if 256 is too verbose but can > someone > > > > > please > > > > > > confirm? > > > > > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I > get > > > > > thrown: > > > > > > > > > > > > IPA Error 4204 > > > > > > > > > > > > limits exceeded for this query > > > > > > > > > > > > Not sure what's going on there, might be symptomatic of the high > > > load the > > > > > > server is under due to iowait perhaps... > > > > > > > > > > > > Thanks! > > > > > > > > > > > > ___ > > > > > > Freeipa-users mailing list > > > > > > Freeipa-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > >
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - > On Tue, May 13, 2014 at 2:26 PM, Richard Megginson > wrote: > > > - Original Message - > > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > > wrote: > > > > > > > - Original Message - > > > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > > > > I do mean access logging. I want to change it because it's too verbose > > :-) > > > . It's causing high load / iowait on the server. > > > > There isn't a way to change the access log level to make it less verbose. > > You can turn it off completely nsslapd-accesslog-enabled: off > > > > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: 4" > is just as verbose as "nsslapd-accesslog-level: 256"? Yes. > Or that there is > literally no way to change the level despite the fact that there are levels? Yes, you can change the level. You can make it much more verbose than it is already. I don't think this is what you want. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level So you could, for example, change the level to 4, and log internal operations. 1) That may be much more verbose than the default of 256 2) That may not be particularly useful to you. If the purpose of changing the access logging level is to reduce the I/O, then no, there is no level which will reduce the verbosity but still give you some sort of useful data in the access log. If you want to reduce the verbosity, but still have some sort of useful information, then you'll have to use the named pipe log script to filter out only those events which are useful to you. > > Cheers > > > > > Note that the access log is buffered, specifically to reduce the I/O load. > > If that buffered load is _still_ too high, then you might want to > > investigate replacing the access log file with a named pipe, then writing a > > small bit of python code to filter out only the events you are interested > > in. See > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > > > > Based on the link you sent if I crafted an ldif like: > > > > > > dn: cn=config > > > changetype: modify > > > replace: nsslapd-accesslog-level > > > nsslapd-accesslog-level: 4 > > > > > > that would presumably get me what I want. > > > > I don't think so. The error log levels are completely different than the > > access log levels, in that there are no access log levels. > > > > > > > > Does it require a dirsrv restart? > > > > No, but . . . > > > > > > > > Please advise. > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > > > discusses turning on global debugging but doesn't help me. The same > > doc > > > > links > > > > > to: > > > > > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level but > > the > > > > link > > > > > on that page is a 404. > > > > > > > > > > So what do I need to do to change the level? I would assume that > > setting > > > > the > > > > > level to 4 would be indicated if 256 is too verbose but can someone > > > > please > > > > > confirm? > > > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > > > thrown: > > > > > > > > > > IPA Error 4204 > > > > > > > > > > limits exceeded for this query > > > > > > > > > > Not sure what's going on there, might be symptomatic of the high > > load the > > > > > server is under due to iowait perhaps... > > > > > > > > > > Thanks! > > > > > > > > > > ___ > > > > > Freeipa-users mailing list > > > > > Freeipa-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
On Tue, May 13, 2014 at 2:26 PM, Richard Megginson wrote: > - Original Message - > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > wrote: > > > > > - Original Message - > > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > I do mean access logging. I want to change it because it's too verbose > :-) > > . It's causing high load / iowait on the server. > > There isn't a way to change the access log level to make it less verbose. > You can turn it off completely nsslapd-accesslog-enabled: off > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: 4" is just as verbose as "nsslapd-accesslog-level: 256"? Or that there is literally no way to change the level despite the fact that there are levels? Cheers > Note that the access log is buffered, specifically to reduce the I/O load. > If that buffered load is _still_ too high, then you might want to > investigate replacing the access log file with a named pipe, then writing a > small bit of python code to filter out only the events you are interested > in. See > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > Based on the link you sent if I crafted an ldif like: > > > > dn: cn=config > > changetype: modify > > replace: nsslapd-accesslog-level > > nsslapd-accesslog-level: 4 > > > > that would presumably get me what I want. > > I don't think so. The error log levels are completely different than the > access log levels, in that there are no access log levels. > > > > > Does it require a dirsrv restart? > > No, but . . . > > > > > Please advise. > > > > Thanks! > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > discusses turning on global debugging but doesn't help me. The same > doc > > > links > > > > to: > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level but > the > > > link > > > > on that page is a 404. > > > > > > > > So what do I need to do to change the level? I would assume that > setting > > > the > > > > level to 4 would be indicated if 256 is too verbose but can someone > > > please > > > > confirm? > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > > thrown: > > > > > > > > IPA Error 4204 > > > > > > > > limits exceeded for this query > > > > > > > > Not sure what's going on there, might be symptomatic of the high > load the > > > > server is under due to iowait perhaps... > > > > > > > > Thanks! > > > > > > > > ___ > > > > Freeipa-users mailing list > > > > Freeipa-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > wrote: > > > - Original Message - > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > Where do I change the verbosity of access logging? > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > I do mean access logging. I want to change it because it's too verbose :-) > . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > Based on the link you sent if I crafted an ldif like: > > dn: cn=config > changetype: modify > replace: nsslapd-accesslog-level > nsslapd-accesslog-level: 4 > > that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. > > Does it require a dirsrv restart? No, but . . . > > Please advise. > > Thanks! > > > > > > > > > > > This doc: > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > discusses turning on global debugging but doesn't help me. The same doc > > links > > > to: > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > which tells me that I need to change the nsslapd-accesslog-level but the > > link > > > on that page is a 404. > > > > > > So what do I need to do to change the level? I would assume that setting > > the > > > level to 4 would be indicated if 256 is too verbose but can someone > > please > > > confirm? > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > thrown: > > > > > > IPA Error 4204 > > > > > > limits exceeded for this query > > > > > > Not sure what's going on there, might be symptomatic of the high load the > > > server is under due to iowait perhaps... > > > > > > Thanks! > > > > > > ___ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
On Tue, May 13, 2014 at 1:28 PM, Richard Megginson wrote: > - Original Message - > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > Where do I change the verbosity of access logging? > > > Why do you need to change the verbosity of access logging? Do you mean > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. Does it require a dirsrv restart? Please advise. Thanks! > > > > > This doc: > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > discusses turning on global debugging but doesn't help me. The same doc > links > > to: > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > which tells me that I need to change the nsslapd-accesslog-level but the > link > > on that page is a 404. > > > > So what do I need to do to change the level? I would assume that setting > the > > level to 4 would be indicated if 256 is too verbose but can someone > please > > confirm? > > > > I tried looking in the Configuration tab of the admin GUI but I get > thrown: > > > > IPA Error 4204 > > > > limits exceeded for this query > > > > Not sure what's going on there, might be symptomatic of the high load the > > server is under due to iowait perhaps... > > > > Thanks! > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
Jason Becker wrote: I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? 256 is the default. I found this documented in a slightly older release at https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-cnconfig-nsslapd_accesslog_level I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Yes. And I guess ironically you can configure the timeout but without being able to display the page this can be hard using our tools, which enforce that timeout. This data lives at cn=ipaConfig,cn=etc,dc=example,dc=com . You can use ldapmodify to change this if the IPA tools keep timing out while trying. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I change the nsslapd-accesslog-level?
- Original Message - > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > This doc: > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > discusses turning on global debugging but doesn't help me. The same doc links > to: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > which tells me that I need to change the nsslapd-accesslog-level but the link > on that page is a 404. > > So what do I need to do to change the level? I would assume that setting the > level to 4 would be indicated if 256 is too verbose but can someone please > confirm? > > I tried looking in the Configuration tab of the admin GUI but I get thrown: > > IPA Error 4204 > > limits exceeded for this query > > Not sure what's going on there, might be symptomatic of the high load the > server is under due to iowait perhaps... > > Thanks! > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Where do I change the nsslapd-accesslog-level?
I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
