Generate Debug Logs for AD Bridge Services

Logging can help identify and solve problems. There are debug logs for the following services in AD Bridge:

Services Description
eventfwd The event forwarding service. Generate a debug log to verify that the service is receiving events and forwarding them to a collector server.
eventlog The event collection service. Generate a debug log for eventlog to troubleshoot the collection and processing of security events
gpagent The Group Policy agent. Generate a debug log for gpagent to troubleshoot the application or processing of Group Policy Objects (GPOs).
lsass The authentication service. Generate a debug log for lsass when you need to troubleshoot authentication errors or failures.
lwio The input-output service that manages interprocess communication.
lwpkcs11 A service that aids in logging on and logging off with a smart card. Gather logging information about it when there is a problem logging on or logging off with a smart card.
lwreg The AD Bridge registry service. Generate a debug log for lwreg to troubleshoot ill-fated configuration changes to the registry.
lwsc The smart card service. Gather logging information for the smart card service when card-insertion or card-removal behavior is other than expected.
lwsm The service manager.
netlogon The site affinity service that detects the optimal domain controller and global catalog. Generate a debug log for netlogon when you need to troubleshoot problems with sending requests to domain controllers or getting information from the global catalog.
PAM The pluggable authentication modules used by AD Bridge. Create a debug log for PAM when you need to troubleshoot logon or authentication problems.
reapsysl Part of the data collection service. Capture a debug log for reapsysl to investigate the collection and processing of events.

By default, log messages are processed by syslog, typically through the daemon facility. Although the path and file name of the log vary by platform, they typically appear in a subdirectory of /var/log. Note that when you change the log level of a AD Bridge service to debug, you may also need to update syslog configuration (typically /etc/syslog.conf) with the following command and then restart the syslog service:

*.debug /tmp/debug.log

Alternatively, you can log directly to a file, as the procedure to change the target illustrates. For more information, see Change the Target.

Log levels can be changed temporarily or permanently.

To temporarily change the log level, you can use /opt/pbis/bin/lwsm to specify the log level and whether to log to the syslog or directly to a file.

To permanently change the log level, you must modify the service's entry in the AD Bridge registry.

The following log levels are available for most AD Bridge services:

  • always
  • debug
  • error (default)
  • warning
  • info
  • verbose
  • trace

To troubleshoot, we recommend that you change the level to debug. However, to conserve disk space, we recommend that you set the log level to the default level when you finish troubleshooting.

The following are the pipes by which su, sudo, and local user (root) sshd logons are captured with the AD Bridge auditing system. They are system pipes created by the reapsysl service. AD Bridge cannot start the reapsysl service before syslog starts because of a complex series of dependencies on the system. Therefore, these errors are generated and should be ignored. Reapsysl will recreate the pipes as necessary.
robbie@example:~$ sudo ls -la /var/lib/pbis/syslog-reaper/ total 28
drwx------ 2 root root 4096 Mar  7 12:54 .
drwxr-xr-x 8 root root 4096 May 10 13:27 ..
prwx------ 1 root root    0 Mar  7 12:54 error
prwx------ 1 root root    0 Mar  7 12:54 information
prwx------ 1 root root    0 Mar  7 12:54 warning

Temporarily Change the Log Level and Target for a Service

The service manager supports per-service, per-facility logging. Each service has a default log target (syslog) and level (WARNING).

Change the Target

You can use the following command to change the log target for a particular service and facility to log to a file:

/opt/pbis/bin/lwsm set-log-target <service> <facility> file <path>

You can use the following command to change the log target for a particular service and facility to the syslog:

/opt/pbis/bin/lwsm set-log-target <service> <facility> syslog

The service can be any AD Bridge service except dcerpc, which has its own logging mechanism.

The facility is a portion of the service and the default facility is accessed as a hyphen (-). For example, to target the logging messages from default facility of lsass to a file /var/log/lsass.log:

/opt/pbis/bin/lwsm set-log-target lsass - file /var/log/lsass.log

If you want to debug the interprocess communications of lsass (something rarely required), you can use the lsass-ipc facility:

/opt/pbis/bin/lwsm set-log-target lsass lsass-ipc file /tmp/lsass-ipc.log

Change the Log Level

To change the level of logging in the default facility of lsass to debug:

/opt/pbis/bin/lwsm set-log-level lsass – debug

The supported log levels are:

  • always
  • error
  • warning
  • info
  • verbose
  • debug
  • trace

Changing the log level temporarily can help you isolate and capture information when a command or operation fails. For example, if you run a command and it fails, you can change the log level and then run the command again to get information about the failure.

View Log Settings

To view the current level and target of logging of a service, enter the following command:

/opt/pbis/bin/lwsm get-log <service>

For example, entering the following command

/opt/pbis/bin/lwsm get-log lsass

produces the following result

<default>: syslog LOG_DAEMON at ERROR

This indicates that the lsass service's default log level is error and is directed to syslog’s daemon facility.