Overview#
PKI server logging can be configured using the following logging frameworks:
Internal Logging
java.util.logging (JUL)#
Tomcat uses JUL as the default logging framework. The configuration is described in Tomcat 7 Logging Configuration and Tomcat 8 Logging Configuration.
The default configuration is located at /usr/share/pki/server/conf/logging.properties. During server deployment a link will be created at /var/lib/pki/pki-tomcat/conf/logging.properties.
By default only log messages with level WARNING or higher will be logged on the console (i.e. systemd journal).
java.util.logging.ConsoleHandler.level = ALLjava.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatterjava.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n.level = ALL.handlers = java.util.logging.ConsoleHandlerThe systemd journal can be viewed with the following command:
$ journalctl -u pki-tomcatd@pki-tomcat.service
To customize JUL configuration, replace the link with a copy of the default configuration:
$ rm -f /var/lib/pki/pki-tomcat/conf/logging.properties$ cp /usr/share/pki/server/conf/logging.properties /var/lib/pki/pki-tomcat/conf$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/conf/logging.propertiesThen edit the file as needed. For example, to troubleshoot PKI issues add the following lines:
To troubleshoot RESTEasy issues add the following line (unless Log4j is installed in Tomcat classpath):
org.jboss.resteasy.level = ALL
Then restart the server.
For more information see the following documents:
Log4j#
The default Tomcat 7 classpath does include Log4j, but the server itself is not configured to use Log4j for logging by default. However, since the Log4j is in the classpath the RESTEasy will use Log4j for logging automatically (see RESTEasy Logging).
The default Log4j configuration is located at /usr/share/pki/server/conf/log4j.properties. During server deployment a link will be created at /var/lib/pki/pki-tomcat/lib/log4j.properties.
By default only log messages with level WARN or higher will be logged on the console (i.e. systemd journal).
log4j.appender.console = org.apache.log4j.ConsoleAppenderlog4j.appender.console.Target = System.errlog4j.appender.console.layout = org.apache.log4j.PatternLayoutlog4j.appender.console.layout.ConversionPattern = %p: %m%nlog4j.rootLogger = WARN, consolelog4j.logger.org.jboss.resteasy = WARNThe default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL instead.
To customize Log4j configuration, replace the link with a copy of the default configuration:
$ rm -f /var/lib/pki/pki-tomcat/lib/log4j.properties$ cp /usr/share/pki/server/conf/log4j.properties /var/lib/pki/pki-tomcat/lib$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/lib/log4j.propertiesThen edit the file as needed. For example, to troubleshoot RESTEasy issues add the following line:
log4j.logger.org.jboss.resteasy = ALL
Then restart the server.
For more information see the following documents:
Internal Logging#
Each PKI subsystem uses an internal logging framework for debugging purposes.
The logging configuration is stored in /var/lib/pki/instance/conf/subsystem/CS.cfg:
debug.enabled=truedebug.level=0debug.filename=/var/lib/pki/instance/logs/subsystem/debugdebug.hashkeytypes=debug.showcaller=falseThe debug.enabled determines whether the debug log is enabled. By default it is enabled.
The debug.level determines the amount of details to be logged. The value ranges from 0 (most detailed) to 10 (least detailed). The default is 0.
The debug.filename determines the debug log file location. By default it is located at /var/lib/pki/instance/logs/subsystem/debug.
The debug.hashkeytypes is a comma-separated list of additional components to log. By default it’s empty.
The debug.showcaller determines whether to include the caller information in the log message. By default it’s disabled.
To customize the internal logging configuration, edit the CS.cfg as needed, then restart the server.