Applies to: All versions of Centrify DirectControl
Question:
We are getting lots of INFO level messages (see extract below) about allowed access that we would rather not see. For example: On a Centrify system, there are plenty of messages in /var/log/messages even though Centrify Debug has been turned OFF using /usr/share/centrifydc/bin/addebug off.
Jul 10 04:25:01 dl2-trd-stc adclient[10786]: INFO <fd:10 PAMIsUserAllowedAccess> audit User 'sybase' is authorized
The default syslog.conf for Redhat logs is for all INFO messages to be directed /var/log/messages. So changing the facility would not make a difference. We could change our syslog config, but is there a way to change the Centrify behavior?.
Can we put in a feature request to allow us to set the default log level. (ie, what addebug sets it back to when you run /usr/share/centrifydc/bin/addebug off.)
Answer:
To suppress INFO message sent to syslog by adclient and the Centrify NSS and PAM modules, you can safely change the LOG level from INFO to WARN in /etc/centrifydc/centrifydc.conf.
After making this change, the "adreload" command should be executed which tells adclient to re-read its configuration file. If we make this change via Group Policy, we just need to make sure an "adreload" is executed after that. This is something we can do with GP as well. We can enable a GP to set the log level to WARN and run adreload and then turn the policy off after a day as an example.
Something to note is that if application read our PAM and NSS modules when log level is INFO and you change it to WARN, some of these applications will not re-read this new configuration until they are restarted. This should not be a problem for applications that fork.
Now what happens when addebug is turned ON, addebug will change the Centrify logging level to DEBUG. When addebug is turned OFF, addebug will change the Centrify logging level to INFO therefore overwriting any custom changes made. This is a bug and Centrify will be fixing it in future releases. Once fixed, addebug will note what the log level was before turning Debug on and will set it back accordingly when off. A workaround for the time being is to modify addebug (it's just a script). We can do this with Group Policy as well.