Salesforce

KB-2233: How to change log level?

Printable View
« Go Back

Information

 
TitleKB-2233: How to change log level?
URL NameKB-2233-How-to-change-log-level
Knowledge Article TypeProblem / Resolution
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
Component 
Version 
Tagslog debug level
Internal Comments
Article Edits
Bug #
Solution ID2111
Knowledge Base Article Details

Applies toAll versions of Centrify DirectControl

Question:
We are getting lots of INFO level messages (see extract below) about allowed access that we would rather not see. For example: On a Centrify system, there are plenty of messages in /var/log/messages even though Centrify Debug has been turned OFF using /usr/share/centrifydc/bin/addebug off. 

Jul 10 04:25:01 dl2-trd-stc adclient[10786]: INFO <fd:10 PAMIsUserAllowedAccess> audit User 'sybase' is authorized 

The default syslog.conf for Redhat logs is for all  INFO messages to be directed /var/log/messages. So changing the facility would not make a difference.  We could change our syslog config, but is there a way to change the Centrify behavior?. 

Can we put in a feature request to allow us to set the default log level. (ie, what addebug sets it back to when you run /usr/share/centrifydc/bin/addebug off.) 

 

 

Answer:

To suppress INFO message sent to syslog by adclient and the Centrify NSS and PAM modules, you can safely change the LOG level from INFO to WARN in /etc/centrifydc/centrifydc.conf. 

After making this change, the "adreload" command should be executed which tells adclient to re-read its configuration file. If we make this change via Group Policy, we just need to make sure an "adreload" is executed after that. This is something we can do with GP as well. We can enable a GP to set the log level to WARN and run adreload and then turn the policy off after a day as an example. 

Something to note is that if application read our PAM and NSS modules when log level is INFO and you change it to WARN, some of these applications will not re-read this new configuration until they are restarted. This should not be a problem for applications that fork. 

Now what happens when addebug is turned ON, addebug will change the Centrify logging level to DEBUG. When addebug is turned OFF, addebug will change the Centrify logging level to INFO therefore overwriting any custom changes made. This is a bug and Centrify will be fixing it in future releases. Once fixed, addebug will note what the log level was before turning Debug on and will set it back accordingly when off. A workaround for the time being is to modify addebug (it's just a script). We can do this with Group Policy as well. 

Created ByArticle Admin
Solution CreatorRaghu Srinivasan
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by