[Freeipa-users] Where do I change the nsslapd-accesslog-level?

Jason Becker jasondbecker at gmail.com
Tue May 13 21:41:38 UTC 2014 

On Tue, May 13, 2014 at 3:35 PM, Richard Megginson <rmeggins at redhat.com>wrote:

>
>
> ----- Original Message -----
> > On Tue, May 13, 2014 at 2:26 PM, Richard Megginson
> > <rmeggins at redhat.com>wrote:
> >
> > > ----- Original Message -----
> > > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson
> > > > <rmeggins at redhat.com>wrote:
> > > >
> > > > > ----- Original Message -----
> > > > > > I am using FreeIPA 3.0.0 on RHEL 6
> (ipa-server-3.0.0-37.el6.x86_64).
> > > > > >
> > > > > > Where do I change the verbosity of access logging?
> > > > >
> > > > >
> > > > > Why do you need to change the verbosity of access logging?  Do you
> mean
> > > > > error logging?  If so, see
> http://port389.org/wiki/FAQ#Troubleshooting
> > > > >
> > > >
> > > > I do mean access logging. I want to change it because it's too
> verbose
> > > :-)
> > > > . It's causing high load / iowait on the server.
> > >
> > > There isn't a way to change the access log level to make it less
> verbose.
> > > You can turn it off completely nsslapd-accesslog-enabled: off
> > >
> >
> > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level:
> 4"
> > is just as verbose as "nsslapd-accesslog-level: 256"?
>
> Yes.
>
> > Or that there is
> > literally no way to change the level despite the fact that there are
> levels?
>
> Yes, you can change the level.  You can make it much more verbose than it
> is already.  I don't think this is what you want.
>
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level
>
> So you could, for example, change the level to 4, and log internal
> operations.  1) That may be much more verbose than the default of 256 2)
> That may not be particularly useful to you.
>
> If the purpose of changing the access logging level is to reduce the I/O,
> then no, there is no level which will reduce the verbosity but still give
> you some sort of useful data in the access log.
>
> If you want to reduce the verbosity, but still have some sort of useful
> information, then you'll have to use the named pipe log script to filter
> out only those events which are useful to you.
>

Thanks for the clarification.

I was working on the assumption that indeed "nsslapd-accesslog-level: 4"
would be less verbose but still provide some sort of useful data in the
access log.

Cheers


>
> >
> > Cheers
> >
> >
> >
> > > Note that the access log is buffered, specifically to reduce the I/O
> load.
> > >  If that buffered load is _still_ too high, then you might want to
> > > investigate replacing the access log file with a named pipe, then
> writing a
> > > small bit of python code to filter out only the events you are
> interested
> > > in.  See
> > >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html
> > >
> > > >
> > > > Based on the link you sent if I crafted an ldif like:
> > > >
> > > > dn: cn=config
> > > > changetype: modify
> > > > replace: nsslapd-accesslog-level
> > > > nsslapd-accesslog-level: 4
> > > >
> > > > that would presumably get me what I want.
> > >
> > > I don't think so.  The error log levels are completely different than
> the
> > > access log levels, in that there are no access log levels.
> > >
> > > >
> > > > Does it require a dirsrv restart?
> > >
> > > No, but . . .
> > >
> > > >
> > > > Please advise.
> > > >
> > > > Thanks!
> > > >
> > > >
> > > >
> > > > >
> > > > > >
> > > > > > This doc:
> > > > > >
> > > > > >
> > > > >
> > >
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html
> > > > > >
> > > > > > discusses turning on global debugging but doesn't help me. The
> same
> > > doc
> > > > > links
> > > > > > to:
> > > > > >
> > > > > >
> > > > >
> > >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html
> > > > > >
> > > > > > which tells me that I need to change the nsslapd-accesslog-level
> but
> > > the
> > > > > link
> > > > > > on that page is a 404.
> > > > > >
> > > > > > So what do I need to do to change the level? I would assume that
> > > setting
> > > > > the
> > > > > > level to 4 would be indicated if 256 is too verbose but can
> someone
> > > > > please
> > > > > > confirm?
> > > > > >
> > > > > > I tried looking in the Configuration tab of the admin GUI but I
> get
> > > > > thrown:
> > > > > >
> > > > > > IPA Error 4204
> > > > > >
> > > > > > limits exceeded for this query
> > > > > >
> > > > > > Not sure what's going on there, might be symptomatic of the high
> > > load the
> > > > > > server is under due to iowait perhaps...
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > _______________________________________________
> > > > > > Freeipa-users mailing list
> > > > > > Freeipa-users at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140513/32e0b06f/attachment.htm>

More information about the Freeipa-users mailing list