How to change log throttles manually in Centrify Agent for Linux and Centrify infrastructure Service

How to change log throttles manually in Centrify Agent for Linux and Centrify infrastructure Service

By Centrify ‎06-28-2018 05:50 PM

How to:
Centrify provides the following scripts to enable/disable debug logging:

  • Centrify Agent for Linux:  /usr/share/centrifycc/bin/cdebug
  • DirectControl:  /usr/share/centrifydc/bin/addebug
  • DirectAudit: /usr/sbin/dadabug

Enable debugging in journald environment

If you need to enable debug logging for more than one feature, please note the order that the debug commands are run to enable them. When you disable debug logging, you should disable them in reverse order. After disabling all debug logging, you should verify that /etc/systemd/journald.conf has only expected values set for at least these settings:

  1. ForwardToSyslog
  2. MaxLevelStore
  3. MaxLevelSyslog
  4. RateLimitBurst
  5. RateLimitInterval

If you have accidentally disabled debug logging out of order, then it is possible to rectify the problem by:

  1. Disabling all debug logging
  2. Performing the check above
  3. Re-enabling any desired debug logging

Enable debugging in rsyslog environment

If you enable debug logging for both DirectAudit and DirectControl, “addebug off” will disable debug logging for both DirectAudit and DirectControl.  If you still want to capture debug log for DirectAudit, you need to run “dadebug off” then “dadebug on” to enable debug logging again.


Changing system log throttle settings

In journald and rsyslog implementations of syslog, two settings control how log messages are throttled :

  1. A “burst” setting defining the maximum number of messages a process can log within a certain amount of time before further messages are dropped. 
  2. An “interval” setting defining the amount of time mentioned above. 

For example, a burst setting of 30,000 and an interval setting of 5 seconds means processes can log a maximum of 30,000 messages in 5 seconds before further messages are dropped.  In Centrify Suite for Linux and Centrify Server Suite 2017, the default values are set to 30,000 messages and 5 seconds for these two parameters.  However, for DirectAudit version prior to Suite 2017, the default values are set to 10,000 messages and 1 second for these two parameters.

If you noticed that debug messages are dropped, or you need to enable debug mode for DirectAudit (version prior than Suite 2017) together with DirectControl and/or Centrify Agent for Linux, you need to change these throttle settings.


Editing the throttle limits

  1. Disable debug logging for the affected feature using the appropriate command.
  2. For systems running journald, open the script that implements the desired command and search for the following text:
    1. RateLimitBurst=<number of messages>
    2. RateLimitInterval=<number><one of s, min, h, ms, us>
  3. For systems running rsyslog, open the script that implements the desired command and search for the following text:
    1. $SystemLogRateLimitBurst <number of messages>
    2. $SystemLogRateLimitInterval <number of seconds>
  4. Set all instances of the burst setting to the same desired value, and all instances of the interval setting to the same desired value.
    For example, to set the throttle limit to 40,000 messages every 4 seconds for journald:
    1. Replace “RateLimitBurst=30000” with “RateLimitBurst=40000”.
    2. Replace “RateLimitInterval=5s” with “RateLimitInterval=4s”
  5. Save the file.

The new throttle limits will take effect when debug logging is enabled.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel