Configuring Subsystem Debug Log

Overview

Each PKI subsystem generates debug logs that can be used to troubleshoot issues in the subsystem (e.g. database access, certificate issuance, key archival).

The logging system is implemented using java.util.logging (JUL) which can be configured using logging.properties and supports the following logging levels:

• SEVERE (highest value)

• WARNING

• INFO

• CONFIG

• FINE

• FINER

• FINEST (lowest value)

Default Logging Configuration

The default subsystem logging configuration is stored in:

• /usr/share/pki/ca/webapps/ca/WEB-INF/classes/logging.properties

• /usr/share/pki/kra/webapps/kra/WEB-INF/classes/logging.properties

• /usr/share/pki/ocsp/webapps/ocsp/WEB-INF/classes/logging.properties

• /usr/share/pki/tks/webapps/tks/WEB-INF/classes/logging.properties

• /usr/share/pki/tps/webapps/tps/WEB-INF/classes/logging.properties

• /usr/share/pki/acme/webapps/acme/WEB-INF/classes/logging.properties

• /usr/share/pki/est/webapps/est/WEB-INF/classes/logging.properties

The subsystem will store the messages in /var/lib/pki/pki-tomcat/logs/<subsystem>/debug.YYYY-MM-DD.log which will be rotated daily and purged after 7 days.

Note: These files are owned by RPM packages. Any changes to them will be overwritten when the RPM packages are upgraded.

Configuring Debug Level using logging.properties

Since PKI 11.7 the subsystem debug level can be configured by creating a new /var/lib/pki/<instance>/conf/<subsystem>/logging.properties. This is different from the default logging.properties above.

For example:

org.jboss.resteasy.level = INFO

Ensure the file is owned by pkiuser:

$ chown pkiuser:pkiuser /var/lib/pki/pki-tomcat/conf/ca/logging.properties

Then restart the server.

Configuring Debug Level using CS.cfg

For CA, KRA, OCSP, TKS, and TPS subsystems the debug level can be configured using the debug.level parameter in CS.cfg:

• /var/lib/pki/pki-tomcat/ca/conf/CS.cfg

• /var/lib/pki/pki-tomcat/kra/conf/CS.cfg

• /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg

• /var/lib/pki/pki-tomcat/tks/conf/CS.cfg

• /var/lib/pki/pki-tomcat/tps/conf/CS.cfg

Note: There is no CS.cfg for ACME and EST subsystems. Create a custom logging.properties on PKI 11.7 or later, or modify the default logging.properties on older versions.

By default the debug.level parameter is configured as follows:

debug.level=10

The parameter is mapped into JUL log level as follows:

PKI Log Level	SLF4J Log Level	JUL Log Level
0-1 (OBNOXIOUS)	TRACE	FINEST
2-5 (VERBOSE)	DEBUG	FINE
6-10 (INFORM)	INFO	INFO
11-15	WARN	WARNING
>15	ERROR	SEVERE

So by default the subsystem will log INFO messages or higher.

Displaying Current Debug Level

To show the current debug level in subsystems other than ACME, execute the following command:

$ pki-server ca-config-show debug.level
10

Changing Debug Level

To change the debug level (e.g. to log FINE messages or higher) in subsystems other than ACME, execute the following command:

$ pki-server ca-config-set debug.level 5

Then restart the server.

See Also

• PKI 10.6 Subsystem Debug Log

• PKI 10.5 Subsystem Debug Log

• PKI 10.3 Subsystem Debug Log