Configuring Subsystem Debug Log

Overview

Each PKI subsystem provides a logging service using java.util.logging (JUL) framework. The logging service which can be used to troubleshoot issues in the subsystem (e.g. database access, certificate issuance, key archival).

For older PKI versions see also:

• PKI 10.6 Subsystem Debug Log

• PKI 10.5 Subsystem Debug Log

Configuration

The logging configuration is located at:

• /usr/share/pki/ca/webapps/ca/WEB-INF/classes/logging.properties

• /usr/share/pki/kra/webapps/kra/WEB-INF/classes/logging.properties

• /usr/share/pki/ocsp/webapps/ocsp/WEB-INF/classes/logging.properties

• /usr/share/pki/tks/webapps/tks/WEB-INF/classes/logging.properties

• /usr/share/pki/tps/webapps/tps/WEB-INF/classes/logging.properties

The debug.level parameter is stored in:

• /var/lib/pki/pki-tomcat/ca/conf/CS.cfg

• /var/lib/pki/pki-tomcat/kra/conf/CS.cfg

• /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg

• /var/lib/pki/pki-tomcat/tks/conf/CS.cfg

• /var/lib/pki/pki-tomcat/tps/conf/CS.cfg

By default the subsystem will log INFO messages or higher:

debug.level=10

The debug.level is mapped into JUL log level as follows:

PKI Log Level	SLF4J Log Level	JUL Log Level
0-1 (OBNOXIOUS)	TRACE	FINEST
2-5 (VERBOSE)	DEBUG	FINE
6-10 (INFORM)	INFO	INFO
11-15	WARN	WARNING
>15	ERROR	SEVERE

The subsystem will store the messages in /var/log/pki/pki-tomcat/<subsystem>/debug.YYYY-MM-DD.log which will be rotated daily and purged after 7 days.

Displaying Current Debug Level

To show the current debug level, execute the following command:

$ pki-server ca-config-show debug.level
0

Changing Debug Level

To change the debug level, execute the following command:

$ pki-server ca-config-set debug.level 5

Then restart the server.