Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Apache Gateway Appliance
NetIQ Access Manager 3.2 Apache Gateway Service on Linux
Proxy based logging enabled on Apache server
NetIQ Access Manager 3.2 Apache Gateway Appliance
NetIQ Access Manager 3.2 Apache Gateway Service on Linux
Proxy based logging enabled on Apache server
Situation
By default, the Apache based proxy server shipping with 3.2 logs it's information to /var/log/novell-apache2/error_log. This is configurable based on the ErrorLog directive under /etc/opt/novell/apache2/conf/httpd.conf. The specific level of logging enabled can be configured via Advanced Options - check out https://www.netiq.com/documentation/netiqaccessmanager32/accessgatewayhelp/?page=/documentation/netiqaccessmanager32/accessgatewayhelp/data/bzcsmag.html ('4.1 Managing Access Gateway Logs') for more details on how to enable different log levels, dump HTTP headers of all Access Gateway requests, SOAP messages between the Proxy and onboard Embedded Service Provider (ESP).
When the Proxy is enabled in verbose mode, the disk i/o associated with the logging can have an impact on the Access Gateway performance and stability. It's very important that syslog level logging be enabled when running any of the more verbose log levels above.
When the Proxy is enabled in verbose mode, the disk i/o associated with the logging can have an impact on the Access Gateway performance and stability. It's very important that syslog level logging be enabled when running any of the more verbose log levels above.
Resolution
1. 1. Add the following lines to the /etc/syslog-ng/syslog-ng.conf file on the Proxy server.
filter f_user { facility(user); }; destination agsmessages { file("/var/log/novell-apache2/error_log"); }; log { source(src); filter(f_user); destination(agsmessages); flags(final); };
filter f_local6 { facility(local6); }; destination httpheaders { file("/var/log/novell-apache2/httpheaders"); }; log { source(src); filter(f_local6); destination(httpheaders); flags(final); };
filter f_local5 { facility(local5); }; destination soapmessages{ file("/var/log/novell-apache2/soapmessages"); }; log { source(src); filter(f_local5); destination(soapmessages); flags(final); };
Note that these lines should be placed ABOVE the entries for local messages e.g. after the following entry
#
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid { level(emerg..notice) and match('^acpid:'); };
# this is for the old acpid < 1.0.6
filter f_acpid_old { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };
2. Restart syslogd using '/etc/init.d/syslog restart'
3. Configure Apache's httpd to use syslog by modifying /etc/opt/novell/apache2/conf/httpd.conf and making sure the ErrorLog directive is configured as the follow:
'ErrorLog syslog:user'
4. Restart Apache using '/etc/init.d/novell-apache2 restart'
This change will also apply to the logging of HTTP headers and SOAP messages.
filter f_user { facility(user); }; destination agsmessages { file("/var/log/novell-apache2/error_log"); }; log { source(src); filter(f_user); destination(agsmessages); flags(final); };
filter f_local6 { facility(local6); }; destination httpheaders { file("/var/log/novell-apache2/httpheaders"); }; log { source(src); filter(f_local6); destination(httpheaders); flags(final); };
filter f_local5 { facility(local5); }; destination soapmessages{ file("/var/log/novell-apache2/soapmessages"); }; log { source(src); filter(f_local5); destination(soapmessages); flags(final); };
Note that these lines should be placed ABOVE the entries for local messages e.g. after the following entry
#
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid { level(emerg..notice) and match('^acpid:'); };
# this is for the old acpid < 1.0.6
filter f_acpid_old { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };
2. Restart syslogd using '/etc/init.d/syslog restart'
3. Configure Apache's httpd to use syslog by modifying /etc/opt/novell/apache2/conf/httpd.conf and making sure the ErrorLog directive is configured as the follow:
'ErrorLog syslog:user'
4. Restart Apache using '/etc/init.d/novell-apache2 restart'
This change will also apply to the logging of HTTP headers and SOAP messages.