What?! You don’t have these logs? You might need to turn them on as by default they are disabled.
This will enable logging for the following items, and rotate the logs on a weekly basis:
The file contains everything you would want to know regarding your DNS environment, such as reloading of configurations, zones, shutting down, and transferring to any DNS slaves. You will not see these log messages on a slave DNS server, so you must have access to the master. Notice, you will not see WHAT DNS record was created below (it was delete.rummel.co).
Did you just double click a “.pkg” file (or something that looks like a stick of butter in a box)? The actions of that installation are recorded here. You could also install items by using the
installer command (a scripting FYI).
Setting up and configuring Open Directory services
Successes and failures authenticating with local network users
Errors in the Password Service
Core Open Directory functionality
There is so much going on in terms of Open Directory it’s hard to begin, as it deals with:
- LDAP (OpenLDAP specifically)
- Password (Password Service)
- Kerberos (now Heimdal vs. MIT Kerberos)
You can read about Open Directory on Apple’s man page opnedirectoryd (man opendirectoryd), or reference the error codes in Apple’s developer section. There are some key troubleshooting steps I usually perform when trying to debug authentication issues:
ping -c 4 ODM.IP.address(it should work)
host ODM.IP.address(it should report back your server’s fully qualified domain name)
host ODM.domain.tld(it should report back only one IP address)
open afp://ODM.domain.tld(you should get an authentication prompt)
dscl /Search -read /Users/*username* NFSHomeDirectory(should return “/Network/Servers/server.domain.tld/Volumes/path/to/username”)
dscl /Search -read /Users/*username* HomeDirectory(should return “<home_dir><url>afp://server.domain.tld/Users</url><path>username</path></home_dir>”)
ntpq -p; ntpdc -c loopinfo(do this on the client and server to verify NTP settings are using the same server)
kinit *username*@ODM.SERVER.TLD(this should be your Kerberos realm so the FQDN is in all caps)
klist -a(Verify TGT and Auth time)
Remember, you can always increase the log level of Open Directory by following Apple’s kbase article and issue:
- The logging level will persist through restarts.
- Other logging levels are also available: “alert”, “critical”, “error”, “warning”, “notice”, and “info”.
- For more information please refer to the manual pages for the odutil utility (such as “man odutil”).
- Generally, debug logging should only be used to troubleshoot Open Directory service-related issues because debug logging can generate large amounts of log messages. If you need more detailed information about Open Directory events but do not wish to use “debug”, consider using “info” instead. </q> —OS X Server: Changing opendirectoryd logging levels
Apple decided to stop utilizing the security.log file for ‘interesting’ items, and now just creates noise in system.log. Grep for the following items:
grep sudo /var/log/system.log
Anyone using the ‘sudo’ command for elevated privileges
grep backup /var/log/system.log
Time Machine ‘backup’ for the server to a secondary drive (not the Time Machine backup service)
grep kernel /var/log/system.log
Kernel messages (such as sandboxd lookup errors)
grep bootp /var/log/system.log
NetBoot and DHCP notices
grep kdc /var/log/system.log
Kerberos log messages for individuals who authenticate for services
General Apache Info
You may see these two files symlinked in Console.app under /Library/Logs/ => “WebServer”
If you have ever had to “redo” some of your work and Postgress, you needed to
sudo serveradmin start postgres_serverto get things done. There is a log for that.
Who just logged into your network? Look for “authorized for access”: