-
Notifications
You must be signed in to change notification settings - Fork 147
Configuring Subsystem Debug Log
Each PKI subsystem can be configured to generate debug log for troubleshooting issues in the subsystem (e.g. database access, certificate issuance, key archival). The debug log can be configured during installation (see Two-Step Installation) or after installation.
The logging system is implemented using java.util.logging (JUL) which can be configured using logging.properties
and supports the following logging levels:
-
SEVERE
(highest value) -
WARNING
-
INFO
-
CONFIG
-
FINE
-
FINER
-
FINEST
(lowest value)
The default subsystem logging configuration is stored in:
-
/usr/share/pki/ca/webapps/ca/WEB-INF/classes/logging.properties
-
/usr/share/pki/kra/webapps/kra/WEB-INF/classes/logging.properties
-
/usr/share/pki/ocsp/webapps/ocsp/WEB-INF/classes/logging.properties
-
/usr/share/pki/tks/webapps/tks/WEB-INF/classes/logging.properties
-
/usr/share/pki/tps/webapps/tps/WEB-INF/classes/logging.properties
-
/usr/share/pki/acme/webapps/acme/WEB-INF/classes/logging.properties
-
/usr/share/pki/est/webapps/est/WEB-INF/classes/logging.properties
By default the debug log will be stored in /var/lib/pki/pki-tomcat/logs/<subsystem>/debug.YYYY-MM-DD.log
which will be rotated daily and purged after 7 days.
Note: These files can be modified temporarily, but the changes will be overwritten when the RPM packages are updated.
Since PKI 11.7 the debug level in all PKI subsystems can be configured in /var/lib/pki/<instance>/conf/<subsystem>/logging.properties
which will override the default debug level.
For example, to troubleshoot RESTEasy issues create a /var/lib/pki/pki-tomcat/conf/acme/logging.properties
with the following content:
org.jboss.resteasy.level = INFO
Ensure the file is owned by pkiuser
:
$ chown pkiuser:pkiuser /var/lib/pki/pki-tomcat/conf/acme/logging.properties
Then restart the server.
For CA, KRA, OCSP, TKS, and TPS subsystems the debug level can be configured using the debug.level
parameter in /var/lib/pki/<instance>/conf/<subsystem>/CS.cfg
:
Notes:
-
The
debug.level
parameter is only used to configure logging level in JSS, LDAP SDK, and PKI libraries. -
ACME and EST subsystems do not have a
CS.cfg
. -
To troubleshoot ACME, EST, or third-party libraries, create a custom
logging.properties
in PKI 11.7 or later as described above, or temporarily modify the defaultlogging.properties
in older PKI versions.
By default the debug.level
parameter is configured as follows:
debug.level=10
The parameter is mapped into JUL log level as follows:
PKI Log Level | SLF4J Log Level | JUL Log Level |
---|---|---|
0-1 (OBNOXIOUS) |
TRACE |
FINEST |
2-5 (VERBOSE) |
DEBUG |
FINE |
6-10 (INFORM) |
INFO |
INFO |
11-15 |
WARN |
WARNING |
>15 |
ERROR |
SEVERE |
So by default the subsystem will log INFO
messages or higher.
To show the current debug level in subsystems other than ACME, execute the following command:
$ pki-server ca-config-show debug.level 10
To change the debug level (e.g. to log FINE
messages or higher) in subsystems other than ACME, execute the following command:
$ pki-server ca-config-set debug.level 5
Then restart the server.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |