Re: Logging question

Thu, 15 Jun 2006 17:54:18 -0700 

Ski Kacoroski wrote:

Howard Chu wrote:

Ski Kacoroski wrote:

Howard Chu wrote:

matthew sporleder wrote:

On 6/13/06, Ski Kacoroski <[EMAIL PROTECTED]> wrote:
Or you could look into the access log overlay.  :)



That may be a good solution. Define two separate log databases, and 
separate the machine and user data into two databases, using 
subordinates to glue them together. Use an accesslog overlay on 
each main database, logging to separate log databases.



Of course, the info in the accesslog may not be detailed enough for 
debugging purposes. You'll have to review the log schema and decide 
for yourself if it's adequate for your needs.



Matthew & Howard,


Ok, I have this working nicely with the following:

# Main logging database
database hdb
suffix   "cn=nsdlog"
...

# Hosts logging database
database hdb
suffix   "cn=nsdhostslog"
...

# Hosts database
database hdb
suffix   "ou=Hosts,dc=nsd,dc=org"
...
overlay accesslog
logdb   "cn=nsdhostslog"
logops  all

# Main database
database        hdb
suffix          "dc=nsd,dc=org"
...
overlay accesslog
logdb   "cn=nsdlog"
logops  all

Tricks to getting it working were:


1. Comment out the accesslog overlay configuration until you create 
the base object in the log databases or else slapd crashes



Which version of OpenLDAP did that? The accesslog overlay will create 
the log's base object automatically on startup.





2. Be sure you have a rootdn and password set up on the log databases 
so you can create the base object



You just need the rootdn so that the accesslog overlay will have write 
privs on the log database.



3. Do not use the subordinate option on the main dc=nsd,dc=org 
database.  When I did this, the main database log picked up all the 
activity on the hosts database.  The downside to not using the 
subordinate option is that I cannot do a recursive search from 
dc=nsd,dc=org into the ou=hosts branch (this is fine with me).  It is 
interesting though that if do:



See the note in slapd.conf(5) about ordering of the overlays (at the 
subordinate keyword). If you exchange the order then the accesslog will 
only affect a single database, and not the entire glued tree.


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/























					Reply via email to