Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2233: How to change log level?

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies toAll versions of Centrify DirectControl

Question:
We are getting lots of INFO level messages (see extract below) about allowed access that we would rather not see. For example: On a Centrify system, there are plenty of messages in /var/log/messages even though Centrify Debug has been turned OFF using /usr/share/centrifydc/bin/addebug off. 

Jul 10 04:25:01 dl2-trd-stc adclient[10786]: INFO <fd:10 PAMIsUserAllowedAccess> audit User 'sybase' is authorized 

The default syslog.conf for Redhat logs is for all  INFO messages to be directed /var/log/messages. So changing the facility would not make a difference.  We could change our syslog config, but is there a way to change the Centrify behavior?. 

Can we put in a feature request to allow us to set the default log level. (ie, what addebug sets it back to when you run /usr/share/centrifydc/bin/addebug off.) 

 

 

Answer:

To suppress INFO message sent to syslog by adclient and the Centrify NSS and PAM modules, you can safely change the LOG level from INFO to WARN in /etc/centrifydc/centrifydc.conf. 

After making this change, the "adreload" command should be executed which tells adclient to re-read its configuration file. If we make this change via Group Policy, we just need to make sure an "adreload" is executed after that. This is something we can do with GP as well. We can enable a GP to set the log level to WARN and run adreload and then turn the policy off after a day as an example. 

Something to note is that if application read our PAM and NSS modules when log level is INFO and you change it to WARN, some of these applications will not re-read this new configuration until they are restarted. This should not be a problem for applications that fork. 

Now what happens when addebug is turned ON, addebug will change the Centrify logging level to DEBUG. When addebug is turned OFF, addebug will change the Centrify logging level to INFO therefore overwriting any custom changes made. This is a bug and Centrify will be fixing it in future releases. Once fixed, addebug will note what the log level was before turning Debug on and will set it back accordingly when off. A workaround for the time being is to modify addebug (it's just a script). We can do this with Group Policy as well. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.