Configuring logging for the agent

By default, the Centrify Agent for *NIX logs errors, warnings and informational messages in the UNIX syslog and /var/log/messages files along with other kernel and program messages. Although these files contain valuable information for tracking system operations and troubleshooting issues, occasionally you may find it useful to activate agent-specific logging and record that information in a log file.

To enable logging on the Centrify Agent for *NIX

  1. Log in as or switch to the root user.

  2. Run the addebug command:

    /usr/share/centrifydc/bin/addebug on

    You must type the full path to the command because addebug is not included in the path by default.

    Once you run this command, all of the Centrify Agent activity is written to the /var/log/centrifydc.logfile. If the adclient process stops running while you have logging enabled, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging.

For performance and security reasons, you should only enable logging when necessary, for example, when requested to do so by Centrify Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it.

When you are ready to stop logging activity, run the addebug off command.

Setting the logging level

You can define the level of detail written to the log by setting the log configuration parameter in the Centrify configuration file:

log: level

With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors.

You can use the following keywords to specify the type of information you want to record in the log file:

Specify this level To log this type of information
FATAL Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the user’s console. With this setting, only the most severe problems generate log file messages.
ERROR System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages.
WARN Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages.
INFO Informational messages that describe operational status or provide event notification.

Logging for Access Manager

Although most logging activity focuses on the actions of the Centrify Agent, you can also enable or disable logging for the Access Manager console and configure the types of messages to record in the log file by selecting options in Access Manager.

To configure logging for operations handled through the Access Manager console:

  1. Open Centrify Access Manager.

  2. In the console tree, select Centrify Access Manager, right-click, then click Options.

  3. Click the Log Settings tab, select the type of messages to log, then click OK.

If you enable logging, the log file is located by default in the C:\Users\user\AppData\Roaming\Centrify\DirectControl folder and is updated as you perform different operations in the Access Manager console.

Logging to the circular in-memory buffer

If the Centrify Agent for *NIX’s adclient process is interrupted or stops unexpectedly, a separate watchdog process (cdcwatch) automatically enables an in-memory circular buffer that writes log messages passed to the logging subsystem to help identify what operation the adclient process was performing when the problem occurred. The in-memory buffer is also mapped to an actual file, so that if there’s a system crash or a core dump, the last messages leading up to the event are saved. Messages from the in-memory circular buffer have the prefix _cbuf, so they can be extracted from a core file using the strings command.

The in-memory circular buffer allows debug-level information to be automatically written to a log file even if debugging is turned off. It can be manually enabled by restarting the adclient process with the -M command line option. The default size of the buffer is 128K, which should be sufficient to log approximately 500 messages. Because enabling the buffer can impact performance, you should not manually enable the circular buffer or modify its size or logging level unless you are instructed to make the changes by Centrify Support.