The hidden log features of ns-slapd
This week I discovered (Or dug up: ns-slapd is old) that we have two hidden logging features. In fact searching for one of them yields no results, searching the other shows a document that says it's undocumented.
This post hopes to rectify that.
In ns-slapd, during a normal operation you can see what a connected client is searching in the access log, or what they are changing based on the audit log.
If on a configuration for a plugin you need to diagnose these operations you can't do this... At least that's what the documentation tells you.
You can enable logging for search operations on a plugin through the value:
nsslapd-logAccess: on
You can enabled logging for mod/modrdn/del/add operations on a plugin through the value:
nsslapd-logAudit: on
This will yield logs such as:
time: 20151204143353
dn: uid=test1,ou=People,dc=example,dc=com
result: 0
changetype: modify
delete: memberOf
-
replace: modifiersname
modifiersname: cn=MemberOf Plugin,cn=plugins,cn=config
-
replace: modifytimestamp
modifytimestamp: 20151204043353Z
-
time: 20151204143353
dn: cn=Test Managers,ou=Groups,dc=example,dc=com
result: 0
changetype: modify
delete: member
member: uid=test1,ou=People,dc=example,dc=com
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20151204043353Z
-
Finally, a new option has been added that will enable both on all plugins in the server.
nsslapd-plugin-logging: on
All of these configurations are bound by and respect the following settings:
nsslapd-accesslog-logging-enabled
nsslapd-auditlog-logging-enabled
nsslapd-auditfaillog-logging-enabled