Debug Trace Logging

If you encounter difficulties or problems with Privilege Management for Unix and Linux, you can enable certain components to produce trace logs associated with each secured task processing. A non-zero debug level from 1 (lowest) to 9 (highest) controls the depth and detail of the debug trace messages that is logged. A zero debug level means no tracing is performed. Currently, this feature is available in pbrun, pbsh, pbksh, pbmasterd, pblocald, and pblogd.

The resulting trace log file names have the format:

<prefix><PBUL_program_name><suffix>.<version>.debug.<PID>

and are created in the same location as the corresponding diagnostics log.

To ensure security, the debug trace logs are only generated if the parent directories specified in the relevant diagnostics log settings pbrunlog, pbkshlog, pbshlog, pbmasterdlog, pblogdlog, and pblocaldlog are owned and writable only by root.

When debug tracing the clients pbrun, pbksh, and pbsh, if the corresponding diagnostic keywords pbrunlog, kshlog, and shlog are not present in the settings file, Privilege Management for Unix and Linux attempts to use the directory location specified in pblocaldlog or pbmasterdlog.

When on-demand tracing is enabled from the clients (pbrun, pbksh, pbsh), the client and any associated daemon that participates in the secured task processing produce a trace log for that session.

The daemons, on the other hand, can be set up to always start in a trace-enabled state on a host using one of the following methods:

  • Use the debug option of the server program for daemons that are either stand-alone or started by a superdaemon.
  • Manually create a hidden file containing a numeric debug level (1-9) in specific locations:
    • pbmasterd: /etc/.<prefix>pbmasterd<suffix>.debug.setting
    • pblogd: /etc/.<prefix>pblogd<suffix>.debug.setting
    • pblocald: /etc/.<prefix>pblocald<suffix>.debug.setting
  • If running pbrun as root, use options in pbrun to enable tracing for the appropriate daemon. To initiate and permanently turn on tracing for pbmasterd, pblocald, and pblogd, use pbrun’s -d mlog, -d llog, and -d glog, respectively. The appropriate /etc/.*debug.setting file is created.

To disable debug trace logging for the server programs, locate and delete the hidden debug setting files created from one of the steps mentioned above:

  • pbmasterd: /etc/.<prefix>pbmasterd<suffix>.debug.setting
  • pblogd: /etc/.<prefix>pblogd<suffix>.debug.setting
  • pblocald: /etc/.<prefix>pblocald<suffix>.debug.setting

For more information, please see the following: