This chapter describes the monitoring capabilities that OpenDJ implements, and shows how to configure them. OpenDJ Control Panel provides basic monitoring capabilities under Monitoring > Connection Handler, Monitoring > Connection Handler, and Monitoring > Manage Tasks. This chapter covers the other options for monitoring OpenDJ.

OpenDJ exposes monitoring information over LDAP under the entry cn=monitor. Many different types of information are exposed. The following example shows monitoring information about the userRoot backend holding Example.com data. $ ldapsearch -p 1389 -b cn=monitor "(cn=userRoot backend)" dn: cn=userRoot backend,cn=Disk Space Monitor,cn=monitor disk-state: normal objectClass: top objectClass: ds-monitor-entry objectClass: extensibleObject disk-dir: /path/to/OpenDJ/db/userRoot disk-free: 343039315968 cn: userRoot backend dn: cn=userRoot Backend,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: ds-backend-monitor-entry ds-backend-is-private: FALSE ds-backend-writability-mode: enabled cn: userRoot Backend ds-backend-entry-count: 163 ds-backend-id: userRoot ds-base-dn-entry-count: 163 dc=example,dc=com ds-backend-base-dn: dc=example,dc=com You can set global ACIs on the Access Control Handler if you want to limit read access under cn=monitor.

OpenDJ lets you monitor the server over the Simple Network Management Protocol (SNMP), with support for the Management Information Base described in RFC 2605: Directory Server Monitoring MIB. OpenDJ SNMP-based monitoring depends on OpenDMK, not currently installed by default. Before using SNMP-based monitoring, first download, and install OpenDMK, provided separately due to licensing restrictions. Once you have installed OpenDMK, you can set up a connection handler for SNMP. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password create-connection-handler --handler-name "SNMP Connection Handler" --type snmp --set enabled:true --set listen-port:11161 --set trap-port:11162 -X -n --set opendmk-jarfile:OpenDMK-install-dir/lib/jdmkrt.jar

OpenDJ provides Java Management eXtensions (JMX) based monitoring. A number of tools support JMX, including jconsole and jvisualvm, which are bundled with the Sun/Oracle Java platform. JMX is not configured by default. Use the dsconfig command to configure the JMX connection handler. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-connection-handler-prop --handler-name "JMX Connection Handler" --set enabled:true -X -n By default, no users have privileges to access the JMX connection. The following command adds JMX privileges for Directory Manager. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-root-dn-prop --add default-root-privilege-name:jmx-notify --add default-root-privilege-name:jmx-read --add default-root-privilege-name:jmx-write -X -n You must also configure security to login remotely. Good luck. Alternatively, you can connect to a local server process by using the server process identifier. $ cat ../logs/server.pid 3363 $ jvisualvm --openpid 3363 &

OpenDJ comes with two commands for monitoring server processes and tasks. The status command displays basic information about the local server, similar to what is seen in the default window of the Control Panel. The manage-tasks command lets you manage tasks scheduled on a server, such as nightly backup. The status command takes administrative credentials to read the configuration, as does the Control Panel. $ status -D "cn=Directory Manager" -w password --- Server Status --- Server Run Status: Started Open Connections: 1 --- Server Details --- Host Name: localhost Administrative Users: cn=Directory Manager Installation Path: /path/to/OpenDJ Version: OpenDJ Java Version: 1.6.0_24 Administration Connector: Port 4444 (LDAPS) --- Connection Handlers --- Address:Port : Protocol : State -------------:----------:--------- -- : LDIF : Disabled 0.0.0.0:636 : LDAPS : Disabled 0.0.0.0:1389 : LDAP : Enabled 0.0.0.0:1689 : JMX : Disabled --- Data Sources --- Base DN: dc=example,dc=com Backend ID: userRoot Entries: 163 Replication: Disabled The manage-tasks command connects over the administration port, and so can connect to both local and remote servers. $ manage-tasks -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password -X -n ID Type Status -------------------------------------------------------- example Backup Recurring example-20110623030000000 Backup Waiting on start time

By default OpenDJ stores access and errors logs as well as a server process ID file under the logs/ directory. For the replication service, OpenDJ also keeps a replication log there. You can also configure a debug log. Furthermore, you can configure policies about how logs are rotated, and how they are retained. You configure logging using the dsconfig command. The access log traces the operations the server processes including timestamps, connection information, and information about the operation itself. The access log can therefore grow quickly, as each client request results in at least one new log message. The following access log excerpt shows a search operation from the local host, with the first three lines wrapped for readability. [21/Jun/2011:08:01:53 +0200] CONNECT conn=4 from=127.0.0.1:49708 to=127.0.0.1:1389 protocol=LDAP [21/Jun/2011:08:01:53 +0200] SEARCH REQ conn=4 op=0 msgID=1 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL" [21/Jun/2011:08:01:53 +0200] SEARCH RES conn=4 op=0 msgID=1 result=0 nentries=1 etime=3 [21/Jun/2011:08:01:53 +0200] UNBIND REQ conn=4 op=1 msgID=2 [21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind" The errors log traces server events, error conditions, and warnings, categorized and identified by severity. The following errors log excerpt shows log entries about a backup task, with lines wrapped for readability. [22/Jun/2011:12:32:23 +0200] category=BACKEND severity=NOTICE msgID=9896349 msg=Backup task 20110622123224088 started execution [22/Jun/2011:12:32:23 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend userRoot [22/Jun/2011:12:32:24 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000000.jdb [22/Jun/2011:12:32:24 +0200] category=TOOLS severity=NOTICE msgID=10944795 msg=The backup process completed successfully [22/Jun/2011:12:32:24 +0200] category=BACKEND severity=NOTICE msgID=9896350 msg=Backup task 20110622123224088 finished execution The replication log traces replication events, with entries similar to the errors log. The following excerpt has lines wrapped for readability. [22/Jun/2011:14:37:34 +0200] category=SYNC severity=NOTICE msgID=15139026 msg=Finished total update: exported domain "dc=example,dc=com" from this directory server DS(24065) to all remote directory servers. [22/Jun/2011:14:37:35 +0200] category=SYNC severity=MILD_WARNING msgID=14745663 msg=Replication server RS(23947) at localhost/10.10.0.168:8989 has closed the connection to this directory server DS(24065). This directory server will now try to connect to another replication server in order to receive changes for the domain "dc=example,dc=com" [22/Jun/2011:14:37:35 +0200] category=SYNC severity=NOTICE msgID=15138894 msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640 Notice that the replication log does not trace replication operations. Use the external change log instead to get notifications about changes to directory data over protocol. You can alternatively configure an audit log, which is a type of access log that dumps changes in LDIF. A debug log traces details needed to troubleshoot a problem in the server. Debug logs can grow large quickly, and therefore no debug logs are enabled by default. Each log depends on a log publisher, whose type corresponds to the type of log. OpenDJ uses file-based log publishers. The design allows for custom log publishers, however, which could publish the logs elsewhere besides a file. Each log can also be associated with a log rotation policy, and a log retention policy. The former can specify when, after how much time, or at what maximum size a log is rotated. The latter can specify a maximum number or size of logs to retain, or an amount of free disk space to maintain. The design allows for custom policies as well. For debug logging, you also set a debug target to control what gets logged. By default the file-based logs are subject to rotation and retention policies that you can list with dsconfig list-rotation-policies and dsconfig list-retention-policies.

OpenDJ can send alerts to provide notifications of significant server events. Yet alert notifications are not enabled by default. You can use the dsconfig command to enable alert notifications. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-alert-handler-prop --handler-name "JMX Alert Handler" --set enabled:true -X -n OpenDJ can also send mail over SMTP instead of JMX notifications. Before you set up the SMTP-based alert handler, you must identify an SMTP server to which OpenDJ sends messages. $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-global-configuration-prop --set smtp-server:smtp.example.com -X -n $ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password create-alert-handler --handler-name "SMTP Alert Handler" --type smtp --set enabled:true --set message-subject: "OpenDJ Alert, Type: %%alert-type%%, ID: %%alert-id%%" --set message-body:"%%alert-message%%" --set recipient-address:kvaughan@example.com --set sender-address:opendj@example.com -X -n