Troubleshooting
Troubleshooting Kerberos
UNIX Syslog FileThe security server daemons, kadmind, kpropd, and kdcd, write error messages to the system log (/var/adm/syslog/syslog.log) file. You can also configure the daemons to log the messages in a different file. Use the following command while starting the daemon, to specify a different file name:
# kdcd
or
# kadmind
However, principal database operations performed locally on the primary security server using the HP Kerberos Administrator are not recorded because these programs do not use syslog to audit their activities.
The syslog daemon (syslogd) is configured using the /etc/syslog.conf file, which controls where your log files are located. For example, you can configure syslog to send messages to /usr/adm/messages.
The security server daemons log an entry for each transaction and whether the transaction succeeded or failed. The number of transactions that are logged in your syslog file is determined by how you have configured the reporting levels.
The security server uses the following syslog reporting levels:
•LOG_ERR – Displays security server errors.
•LOG_WARNING – Displays security server warnings.
•LOG_NOTICE – Displays secured application server errors.
The server logs information messages through syslog. The syslog file can grow large if not maintained properly. The syslog file is specified in /etc/syslog.conf, which has a symbolic link to the /var/adm/messages directory.
Check the size of this file to make sure it does not use an overwhelming amount of system disk space. If the /var partition grows to 100 percent utilization, syslog stops writing log messages and may even shut down active processes, such as the daemons.
Create a shell script to be executed daily or weekly by cron to check the syslog file size, partition utilization, or both, and to detect any problems. In addition, you must archive the syslog files regularly to a separate partition, drive, or server.
Chapter 11 | 295 |