Enabling logging for the Centrify DirectControl Agent for Mac

The Centrify DirectControl Agent for Mac installation includes some basic diagnostic tools and a logging mechanism to help you trace the source of problems if they occur. These diagnostic tools and log files allow you to periodically check your environment and view information about the agent operation, your Active Directory connections, and the configuration settings for individual computers.

In most cases, logging is not enabled by default for performance reasons. Once enabled, however, log files provide a detailed record of Centrify DirectControl Agent for Mac activity and can be used to analyze the behavior of Centrify Management Services and communication with Active Directory to locate points of failure.

To enable logging on the Centrify DirectControl Agent for Mac:

  1. Log in as or switch to the root user.
  2. Run the addebug command:
    /usr/local/share/centrifydc/bin/addebug on

    Note:   You must type the full path to the command because addebug is not included in the path by default.

    Once you run this command, all of the agent activity is written to the /var/log/centrifydc.logfile. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging.

    By default, agent logging uses the Macintosh’s logging system, which does not capture some important logging information. To guarantee that you capture all agent logging information, complete the following additional steps to direct logging to a specific file.

  3. Stop the syslogd service:

    service com.apple.syslogd stop
  4. Open the file, /etc/centrifydc/centrifydc.conf, with a text editor, find the parameter and value, logger.destination:syslog, then change the value as follows to direct logging output to the file, /var/log/logfile.log:

  5. Restart the agent:

    Note:   /usr/local/share/centrifydc/bin/centrifydcrestart

    Note:   For more information about starting and stopping the agent, see the Administrator’s Guide for Linux and UNIX.

For performance and security reasons, you should only enable agent logging when necessary, for example, when requested to do so by Centrify Corporation Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it.

When you are ready to stop logging activity, run the addebug off command.