Configuring Subsystem Debug Log - dogtagpki/pki GitHub Wiki
Each PKI subsystem can be configured to generate debug log for troubleshooting issues in the subsystem (e.g. database access, certificate issuance, key archival).
The logging system is implemented using java.util.logging (JUL) which can be configured using logging.properties and supports the following logging levels:
-
SEVERE(highest value) -
WARNING -
INFO -
CONFIG -
FINE -
FINER -
FINEST(lowest value)
The default subsystem logging configuration is stored in:
-
/usr/share/pki/ca/webapps/ca/WEB-INF/classes/logging.properties
-
/usr/share/pki/kra/webapps/kra/WEB-INF/classes/logging.properties
-
/usr/share/pki/ocsp/webapps/ocsp/WEB-INF/classes/logging.properties
-
/usr/share/pki/tks/webapps/tks/WEB-INF/classes/logging.properties
-
/usr/share/pki/tps/webapps/tps/WEB-INF/classes/logging.properties
-
/usr/share/pki/acme/webapps/acme/WEB-INF/classes/logging.properties
-
/usr/share/pki/est/webapps/est/WEB-INF/classes/logging.properties
By default the debug log will be stored in /var/lib/pki/pki-tomcat/logs/<subsystem>/debug.YYYY-MM-DD.log which will be rotated daily and purged after 7 days.
Note: These files can be modified temporarily, but the changes will be overwritten when the RPM packages are updated.
Since PKI 11.7 the subsystem debug level can be configured in /var/lib/pki/<instance>/conf/<subsystem>/logging.properties which will override the default debug level.
For example, to troubleshoot RESTEasy issues create a /var/lib/pki/pki-tomcat/conf/ca/logging.properties with the following content:
org.jboss.resteasy.level = INFO
Ensure the file is owned by pkiuser:
$ chown pkiuser:pkiuser /var/lib/pki/pki-tomcat/conf/ca/logging.properties
Then restart the server.
For CA, KRA, OCSP, TKS, and TPS subsystems the debug level can be configured using the debug.level parameter in CS.cfg:
Notes:
-
The
debug.levelparameter is only used to configure logging level in JSS, LDAP SDK, and PKI libraries. -
ACME and EST subsystems do not have a
CS.cfg. -
To troubleshoot ACME, EST, or third-party libraries, create a custom
logging.propertiesin PKI 11.7 or later as described above, or temporarily modify the defaultlogging.propertiesin older PKI versions.
By default the debug.level parameter is configured as follows:
debug.level=10
The parameter is mapped into JUL log level as follows:
| PKI Log Level | SLF4J Log Level | JUL Log Level |
|---|---|---|
0-1 (OBNOXIOUS) |
TRACE |
FINEST |
2-5 (VERBOSE) |
DEBUG |
FINE |
6-10 (INFORM) |
INFO |
INFO |
11-15 |
WARN |
WARNING |
>15 |
ERROR |
SEVERE |
So by default the subsystem will log INFO messages or higher.
To show the current debug level in subsystems other than ACME, execute the following command:
$ pki-server ca-config-show debug.level 10
To change the debug level (e.g. to log FINE messages or higher) in subsystems other than ACME, execute the following command:
$ pki-server ca-config-set debug.level 5
Then restart the server.