51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
57d6342a74476c0bf2200992e778229d62ab1fa6mark ! Copyright 2011-2015 ForgeRock AS.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter describes the monitoring capabilities that OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implements, and shows how to configure them.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ Control Panel provides basic monitoring capabilities under
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Monitoring > General Information, Monitoring > Connection Handler, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Monitoring > Manage Tasks. This chapter covers the other options for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark monitoring OpenDJ.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ exposes monitoring information over LDAP under the entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>cn=monitor</literal>. Many different types of information are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark exposed. The following example shows monitoring information about the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>userRoot</literal> backend holding Example.com data.</para>
57d6342a74476c0bf2200992e778229d62ab1fa6mark <para>Interface stability: <link xlink:href="reference#interface-stability"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch --port 1389 --baseDN cn=monitor "(cn=userRoot backend)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=userRoot backend,cn=Disk Space Monitor,cn=monitor
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdisk-state: normal
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: ds-monitor-entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdisk-free: 343039315968
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: userRoot backend
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=userRoot Backend,cn=monitor
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: ds-monitor-entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: ds-backend-monitor-entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-backend-is-private: FALSE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-backend-writability-mode: enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: userRoot Backend
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-backend-entry-count: 163
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-backend-id: userRoot
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-base-dn-entry-count: 163 dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-backend-base-dn: dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can set global ACIs on the Access Control Handler if you want
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to limit read access under <literal>cn=monitor</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ lets you monitor the server over the Simple Network Management
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Protocol (SNMP), with support for the Management Information Base described
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in <link xlink:href="http://tools.ietf.org/html/rfc2605">RFC 2605: Directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ SNMP-based monitoring depends on OpenDMK, which you must
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:href="http://opendmk.java.net/download/" xlink:show="new">download
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://java.net/projects/opendmk/content/download/opendmk-1.0-b02-bin-dual-01-Oct-2007_19-17-46.jar"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Full Binary Bundle</link> by using the graphical installer, which requires
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://java.net/projects/opendmk/content/legal_notices/LICENSE_BINARY.txt"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Binary License for Project OpenDMK</link>. OpenDJ directory server that you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark download from ForgeRock is built with OpenDMK, but due to licensing OpenDMK
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is not part of OpenDJ. SNMP is therefore not enabled by default.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To run the OpenDMK installer, use the self-extracting .jar.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>java -jar ~/Downloads/opendmk-1.0-b02-*.jar</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you install under <filename>/path/to</filename>, then the runtime
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark library needed for SNMP is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>/path/to/OpenDMK-bin/lib/jdmkrt.jar</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Once you have installed OpenDMK, you can set up a connection handler
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for SNMP by enabling the connection handler, and pointing OpenDJ to your
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark installation of the OpenDMK <filename>jdmkrt.jar</filename> library.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SNMP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set opendmk-jarfile:/path/to/OpenDMK-bin/lib/jdmkrt.jar \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default, the SNMP Connection Handler listens on port 161 and uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark port 162 for traps. On UNIX and Linux systems, only root can normally open
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark these ports. Therefore if you install as a normal user, you might want
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to change the listen and trap ports.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SNMP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set listen-port:11161 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set trap-port:11162 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Restart the SNMP Connection Handler to take the port number changes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark into account.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para> To restart the connection handler, you disable it, then enable
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it again.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SNMP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:false \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SNMP Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use a command such as <command>snmpwalk</command> to check that the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SNMP listen port works.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>snmpwalk -v 2c -c OpenDJ@OpenDJ localhost:11161</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkSNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "OpenDJ ${docTargetVersion}..."
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSNMPv2-SMI::mib-2.66.1.1.2.1 = STRING: "/path/to/opendj"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark...</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ provides Java Management eXtensions (JMX) based monitoring. A
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark number of tools support JMX, including <command>jconsole</command> and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>jvisualvm</command>, which are bundled with the Sun/Oracle Java
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark platform. JMX is not configured by default. Use the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command to configure the JMX connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark handler.</para>
57d6342a74476c0bf2200992e778229d62ab1fa6mark <para>Interface stability: <link xlink:href="reference#interface-stability"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-connection-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "JMX Connection Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default, no users have privileges to access the JMX connection. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark following command adds JMX privileges for Directory Manager.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-root-dn-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add default-root-privilege-name:jmx-notify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add default-root-privilege-name:jmx-read \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add default-root-privilege-name:jmx-write \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You must also configure security to login remotely. See the section on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://docs.oracle.com/javase/1.5.0/docs/guide/management/agent.html#SSL_enabled"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new"><citetitle>Monitoring and Management Using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Alternatively, you can connect to a local server process by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server process identifier.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark OpenDJ comes with two commands for monitoring server processes and tasks.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark displays basic information about the local server,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark similar to what is seen in the default window of the Control Panel.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark lets you manage tasks scheduled on a server, such as nightly backup.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <command>status</command> command takes administrative credentials
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to read the configuration, as does the Control Panel.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>status --bindDN "cn=Directory Manager" --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --- Server Status ---
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkServer Run Status: Started
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkOpen Connections: 1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --- Server Details ---
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkHost Name: localhost
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdministrative Users: cn=Directory Manager
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkVersion: OpenDJ ${docTargetVersion}
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdministration Connector: Port 4444 (LDAPS)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --- Connection Handlers ---
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAddress:Port : Protocol : State
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-------------:----------:---------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-- : LDIF : Disabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0.0.0.0:636 : LDAPS : Disabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0.0.0.0:1389 : LDAP : Enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0.0.0.0:1689 : JMX : Disabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --- Data Sources ---
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBase DN: dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBackend ID: userRoot
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkEntries: 163
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkReplication: Disabled</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <command>manage-tasks</command> command connects over the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark administration port, and so can connect to both local and remote
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark servers.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>manage-tasks \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkID Type Status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark--------------------------------------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkexample Backup Recurring
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkexample-20110623030000000 Backup Waiting on start time</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default OpenDJ stores access and errors logs as well as a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server process ID file under the <filename>logs/</filename> directory.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark For the replication service, OpenDJ also keeps a replication log there.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark You can also configure a debug log. Furthermore, you can configure policies
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark about how logs are rotated, and how they are retained. You configure logging
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>access log</firstterm> traces the operations the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server processes including timestamps, connection information, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark information about the operation itself. The access log can therefore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark grow quickly, as each client request results in at least one new log
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark message.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following access log excerpt shows a search operation from the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark local host, with the first three lines wrapped for readability.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[21/Jun/2011:08:01:53 +0200] CONNECT conn=4 from=127.0.0.1:49708
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to=127.0.0.1:1389 protocol=LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[21/Jun/2011:08:01:53 +0200] SEARCH REQ conn=4 op=0 msgID=1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[21/Jun/2011:08:01:53 +0200] SEARCH RES conn=4 op=0 msgID=1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark result=0 nentries=1 etime=3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[21/Jun/2011:08:01:53 +0200] UNBIND REQ conn=4 op=1 msgID=2
08248b5c5b494aff8d1922e8e0b5777796d7450dmark[21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind"
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
409f0dae824dc9e5c88106df8c8744656138c4f5mark Notice that by default OpenDJ directory server logs a message
409f0dae824dc9e5c88106df8c8744656138c4f5mark for the search request, and a message for the search response.<footnote>
409f0dae824dc9e5c88106df8c8744656138c4f5mark You can also configure the access logger to combine log messages
409f0dae824dc9e5c88106df8c8744656138c4f5mark by setting the property <literal>log-format:combined</literal>.
409f0dae824dc9e5c88106df8c8744656138c4f5mark The setting is useful when filtering messages based on response criteria.
409f0dae824dc9e5c88106df8c8744656138c4f5mark It causes the server to log one message per operation,
409f0dae824dc9e5c88106df8c8744656138c4f5mark rather than one message for the request and another for the response.
409f0dae824dc9e5c88106df8c8744656138c4f5mark </footnote>
409f0dae824dc9e5c88106df8c8744656138c4f5mark The server also logs request and response messages for other operations
409f0dae824dc9e5c88106df8c8744656138c4f5mark that have responses, such as bind and modify operations.
409f0dae824dc9e5c88106df8c8744656138c4f5mark The server does not, however, log response messages for all operations,
409f0dae824dc9e5c88106df8c8744656138c4f5mark as some operations, such as persistent searches, abandon operations,
409f0dae824dc9e5c88106df8c8744656138c4f5mark unbind operations, and abandoned operations, do not have responses.
409f0dae824dc9e5c88106df8c8744656138c4f5mark Here, you see also that the log message for the unbind request
409f0dae824dc9e5c88106df8c8744656138c4f5mark is followed by a log message for the disconnection.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>errors log</firstterm> traces server events, error
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark conditions, and warnings, categorized and identified by severity.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following errors log excerpt shows log entries about a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark backup task, with lines wrapped for readability.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:12:32:23 +0200] category=BACKEND severity=NOTICE msgID=9896349
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=Backup task 20110622123224088 started execution
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:12:32:23 +0200] category=TOOLS severity=NOTICE msgID=10944792
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=Starting backup for backend userRoot
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:12:32:24 +0200] category=JEB severity=NOTICE msgID=8847446
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=Archived: 00000000.jdb
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:12:32:24 +0200] category=TOOLS severity=NOTICE msgID=10944795
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=The backup process completed successfully
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:12:32:24 +0200] category=BACKEND severity=NOTICE msgID=9896350
08248b5c5b494aff8d1922e8e0b5777796d7450dmark msg=Backup task 20110622123224088 finished execution
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you use the HTTP Connection Handler, OpenDJ maintains a separate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access log in <filename>logs/http-access</filename>. This access log, by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark default configured as the File Based HTTP Access Log Publisher, uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a different format than the LDAP access log. This HTTP access log uses
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <link xlink:href="http://www.w3.org/TR/WD-logfile.html" xlink:show="new"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Extended Log File Format</link> with fields described in <link
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:href="http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark >Microsoft's implementation</link> as well. The following default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark fields are shown here in the order they occur in the log file.</para>
57d6342a74476c0bf2200992e778229d62ab1fa6mark <para>Interface stability: <link xlink:href="reference#interface-stability"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Completion timestamp for the HTTP request, which you can configure
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using the <literal>log-record-time-format</literal> property</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Path and query string requested by the client</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Connection ID used for OpenDJ internal operations</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When using this field to match HTTP requests with internal
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark operations in the LDAP access log, first set the access log advanced
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property, <literal>suppress-internal-operations</literal>, to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>false</literal>. By default, internal operations do not appear
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in the LDAP access log.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Execution time in milliseconds needed by OpenDJ to service the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark HTTP request</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Missing values are replaced with <literal>-</literal>. Tabs separate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the fields, and if a field contains a tab character, then the field is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark surrounded with double quotes. OpenDJ then doubles double quotes in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark field to escape them.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following example shows an excerpt of an HTTP access log with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the default configuration. Lines are folded and space reformatted for the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark printed page.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark GET /groups/Directory%20Administrators?_prettyPrint=true HTTP/1.1 200
08248b5c5b494aff8d1922e8e0b5777796d7450dmark POST /users?_action=create&_prettyPrint=true HTTP/1.1 200
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can configure the <literal>log-format</literal> for the access log
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using the <command>dsconfig</command> command. In addition to the default
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark fields, the following standard fields are supported.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Server name where the access log was written</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <firstterm>replication log</firstterm> traces replication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark events, with entries similar to the errors log. The following excerpt has
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lines wrapped for readability.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:14:37:34 +0200] category=SYNC severity=NOTICE msgID=15139026
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=Finished total update: exported domain "dc=example,dc=com" from this
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server DS(24065) to all remote directory servers.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:14:37:35 +0200] category=SYNC severity=MILD_WARNING msgID=14745663
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark msg=Replication server RS(23947) at opendj.example.com/10.10.0.168:8989 has
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark closed the connection to this directory server DS(24065). This directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server will now try to connect to another replication server in order to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark receive changes for the domain "dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[22/Jun/2011:14:37:35 +0200] category=SYNC severity=NOTICE msgID=15138894
08248b5c5b494aff8d1922e8e0b5777796d7450dmark msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640
08248b5c5b494aff8d1922e8e0b5777796d7450dmark </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that the replication log does not trace replication operations.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Use the external change log instead to get notifications about changes to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory data over protocol. You can alternatively configure an audit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark log, which is a type of access log that dumps changes in LDIF.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A <firstterm>debug log</firstterm> traces details needed to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark troubleshoot a problem in the server. Debug logs can grow large quickly,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and therefore no debug logs are enabled by default.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Each log depends on a <firstterm>log publisher</firstterm>, whose
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark type corresponds to the type of log. OpenDJ uses file-based log publishers.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The design allows for custom log publishers, however, which could publish
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the logs elsewhere besides a file.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For debug logging, you also set a <firstterm>debug target</firstterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to control what gets logged.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Each file-based log can be associated with a <firstterm>log rotation
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy</firstterm>, and a <firstterm>log retention policy</firstterm>. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark former can specify when, after how much time, or at what maximum size a log
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark is rotated. The latter can specify a maximum number or size of logs to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark retain, or an amount of free disk space to maintain. The design allows
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for custom policies as well.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>By default the file-based logs are subject to rotation and retention
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policies that you can list with <command>dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark list-log-rotation-policies</command> and <command>dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, view the log rotation policies with the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-log-rotation-policies \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkLog Rotation Policy : Type : file-size-limit : rotation-interval : time-of-day
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------------------:------------:-----------------:-------------------:------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark24 Hours Time Limit Rotation Policy : time-limit : - : 1 d : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark7 Days Time Limit Rotation Policy : time-limit : - : 1 w : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkFixed Time Rotation Policy : fixed-time : - : - : 2359
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkSize Limit Rotation Policy : size-limit : 100 mb : - : -</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>View the log retention policies with the following command.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-log-retention-policies \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkLog Retention Policy : Type : disk-space-used : free-disk-space : number-of-files
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark---------------------------------:-----------------:-----------------:-----------------:----------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkFile Count Retention Policy : file-count : - : - : 10
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkFree Disk Space Retention Policy : free-disk-space : - : 500 mb : -
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkSize Limit Retention Policy : size-limit : 500 mb : - : -</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use the <command>dsconfig get-log-publisher-prop</command> command to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark examine the policies that apply to a particular logger.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark get-log-publisher-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --publisher-name "File-Based Access Logger" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property retention-policy \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property rotation-policy</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Property : Value(s)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-----------------:-------------------------------------------------------------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkretention-policy : File Count Retention Policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkrotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
08248b5c5b494aff8d1922e8e0b5777796d7450dmark : Policy</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In other words, by default OpenDJ keeps 10 access log files, rotating
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the access log each day, or when the log size reaches 100 MB.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The <command>dsconfig</command> command offers a number of subcommands
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for creating and deleting log rotation and retention policies, and for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark setting policy properties. You can update which policies apply to a logger
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by using the <command>dsconfig set-log-publisher-prop</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Each time a client application sends a request to OpenDJ, the server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark writes to its access log. As shown above, a simple search operation results
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in five messages written to the access log. This volume of logging gives you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the information to analyze overall access patterns, or to audit access when
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you do not know in advance what you are looking for.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Yet when you do know what you are looking for, log filtering
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lets you limit what the server logs, and focus on what you want to see.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark You define the filter criteria, and also set the filtering policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can filter both access and also audit logs.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Log filtering lets you define rules based these criteria.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Client IP address, bind DN, group membership</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Result codes (only log error results, for example)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Search response criteria (number of entries returned, whether the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark search was indexed)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Type of operation (connect, bind, add, delete, modify, rename,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark search, etc.)</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The filtering policy in the log publisher configuration specifies
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark whether to include or exclude log messages that match the criteria you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark define. OpenDJ does not filter logs until you update the log publisher
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configuration.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Example: Exclude Control Panel-Related Messages</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A common development troubleshooting technique consists of sending
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark client requests while tailing the access log:</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Trouble is, when OpenDJ Control Panel is running, or when you are
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark also adapting your configuration using the <command>dsconfig</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command, OpenDJ writes access log messages related to administration.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark These might prevent you from noticing the messages that interest
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This example demonstrates how to filter out access log messages
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark due to administrative connections over LDAPS on ports 1636 and 4444.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create access log filtering criteria rules.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-access-log-filtering-criteria \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --publisher-name "File-Based Access Logger" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --criteria-name "Exclude LDAPS on 1636 and 4444" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type generic \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set connection-port-equal-to:1636 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set connection-port-equal-to:4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set connection-protocol-equal-to:ldaps \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Activate filtering to exclude messages from the default access log
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark according to the criteria you specified.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-log-publisher-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --publisher-name "File-Based Access Logger" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set filtering-policy:exclusive \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point, OpenDJ filters out connections over LDAPS to ports
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 1636 and 4444. While performing operations in OpenDJ Control Panel, if
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you perform a simple <command>ldapsearch --port 1389 --baseDN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark dc=example,dc=com uid=bjensen cn</command>, then all you see in the access
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark log is the effect of the <command>ldapsearch</command> command.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>tail -f /path/to/opendj/logs/access</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>[19/Oct/2011:16:37:16 +0200] CONNECT conn=8 from=127.0.0.1:54165
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to=127.0.0.1:1389 protocol=LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[19/Oct/2011:16:37:16 +0200] SEARCH REQ conn=8 op=0 msgID=1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="cn"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[19/Oct/2011:16:37:16 +0200] SEARCH RES conn=8 op=0 msgID=1 result=0 nentries=1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark[19/Oct/2011:16:37:16 +0200] UNBIND REQ conn=8 op=1 msgID=2
08248b5c5b494aff8d1922e8e0b5777796d7450dmark[19/Oct/2011:16:37:16 +0200] DISCONNECT conn=8 reason="Client Unbind"</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </example>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In addition to the filtering policy, you can also adjust how OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark writes log messages. By default, OpenDJ writes one log message for a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark request, and another for a response. You can set the log publisher
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property <literal>log-format</literal> to <literal>combined</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to have OpenDJ write a single message per operation. This can be helpful,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for example, when evaluating response times. In addition, you can change
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the log message time stamps with <literal>log-record-time-format</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and specify whether to log LDAP control OIDs for operations by setting
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>log-control-oids</literal> to <literal>true</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ can send alerts to provide notifications of significant server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark events. Yet alert notifications are not enabled by default. You can use
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the <command>dsconfig</command> command to enable alert notifications.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-alert-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "JMX Alert Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ can also send mail over SMTP instead of JMX notifications.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Before you set up the SMTP-based alert handler, you must identify an SMTP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server to which OpenDJ sends messages.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-global-configuration-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set smtp-server:smtp.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-alert-handler \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SMTP Alert Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type smtp \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set message-subject:"OpenDJ Alert, Type: %%alert-type%%, ID: %%alert-id%%" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set message-body:"%%alert-message%%" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set recipient-address:kvaughan@example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set sender-address:opendj@example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server uses the following types when sending
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark alerts. For alert types that indicate server problems, check
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>OpenDJ/logs/errors</filename> for details.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.AccessControlDisabled</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The access control handler has been disabled.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.AccessControlEnabled</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The access control handler has been enabled.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.authentiation.dseecompat.ACIParseFailed</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The dseecompat access control subsystem failed to correctly parse
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark one or more ACI rules when the server first started.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.BackendRunRecovery</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The JE backend has thrown a <literal>RunRecoveryException</literal>.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The directory server needs to be restarted.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotCopySchemaFiles</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A problem has occurred while attempting to create copies of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark existing schema configuration files before making a schema update, and the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark schema configuration has been left in a potentially inconsistent
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark state.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotRenameCurrentTaskFile</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is unable to rename the current tasks backing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark file in the process of trying to write an updated version.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotRenameNewTaskFile</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is unable to rename the new tasks backing file
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark into place.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotScheduleRecurringIteration</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is unable to schedule an iteration of a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark recurring task.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotWriteConfig</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is unable to write its updated configuration
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for some reason and therefore the server may not exhibit the new
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configuration if it is restarted.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotWriteNewSchemaFiles</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A problem has occurred while attempting to write new versions of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server schema configuration files, and the schema configuration has been
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark left in a potentially inconsistent state.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.CannotWriteTaskFile</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is unable to write an updated tasks backing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark file for some reason.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.DirectoryServerShutdown</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server has begun the process of shutting down.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.DirectoryServerStarted</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server has completed its startup process.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.DiskFull</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Free disk space has reached the full threshold.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.DiskSpaceLow</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Free disk space has reached the low threshold.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.EnteringLockdownMode</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is entering lockdown mode, in which only root
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark users are allowed to perform operations and only over the loopback
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark address.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LDAPHandlerDisabledByConsecutiveFailures</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Consecutive failures have occurred in the LDAP connection handler
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and have caused it to become disabled.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LDAPHandlerUncaughtError</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Uncaught errors in the LDAP connection handler that have caused it
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to become disabled.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LDIFBackendCannotWriteUpdate</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>An LDIF backend was unable to store an updated copy of the LDIF file
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark after processing a write operation.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LDIFConnectionHandlerIOError</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The LDIF connection handler encountered an I/O error that prevented
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark it from completing its processing.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LDIFConnectionHandlerParseError</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The LDIF connection handler encountered an unrecoverable error while
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attempting to parse an LDIF file.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.LeavingLockdownMode</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server is leaving lockdown mode.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.ManualConfigEditHandled</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server detects that its configuration has been
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark manually edited with the server online and those changes were overwritten
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by another change made through the server. The manually-edited
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configuration will be copied to another location.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.ManualConfigEditLost</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The directory server detects that its configuration has been
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark manually edited with the server online and those changes were overwritten
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark by another change made through the server. The manually-edited
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configuration could not be preserved due to an unexpected error.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.replication.UnresolvedConflict</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Multimaster replication cannot resolve a conflict
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark automatically.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.UncaughtException</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A directory server thread has encountered an uncaught exception that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark caused that thread to terminate abnormally. The impact that this problem
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark has on the server depends on which thread was impacted and the nature
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark of the exception.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.UniqueAttributeSynchronizationConflict</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>A unique attribute conflict has been detected during synchronization
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark processing.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>org.opends.server.UniqueAttributeSynchronizationError</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>An error occurred while attempting to perform unique attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark conflict detection during synchronization processing.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>