DocumentationRelease Notes
Documentation

Generate debug logs for AD Bridge services

Suggest Edits

Logging can help identify and solve problems. There are debug logs for the following services in AD Bridge:

ServicesDescription
eventfwdThe event forwarding service. Generate a debug log to verify that the service is receiving events and forwarding them to a collector server.
eventlogThe event collection service. Generate a debug log for eventlog to troubleshoot the collection and processing of security events
gpagentThe Group Policy agent. Generate a debug log for gpagent to troubleshoot the application or processing of Group Policy Objects (GPOs).
lsassThe authentication service. Generate a debug log for lsass when you need to troubleshoot authentication errors or failures.
lwioThe input-output service that manages interprocess communication.
lwpkcs11A service that aids in logging on and logging off with a smart card. Gather logging information about it when there is a problem logging on or logging off with a smart card.
lwregThe AD Bridge registry service. Generate a debug log for lwreg to troubleshoot ill-fated configuration changes to the registry.
lwscThe smart card service. Gather logging information for the smart card service when card-insertion or card-removal behavior is other than expected.
lwsmThe service manager.
netlogonThe site affinity service that detects the optimal domain controller and global catalog. Generate a debug log for netlogon when you need to troubleshoot problems with sending requests to domain controllers or getting information from the global catalog.
PAMThe pluggable authentication modules used by AD Bridge. Create a debug log for PAM when you need to troubleshoot logon or authentication problems.
reapsyslPart of the data collection service. Capture a debug log for reapsysl to investigate the collection and processing of events.

By default, log messages are processed by syslog, typically through the daemon facility. Although the path and file name of the log vary by platform, they typically appear in a subdirectory of /var/log. Note that when you change the log level of a AD Bridge service to debug, you may also need to update syslog configuration (typically /etc/syslog.conf) with the following command and then restart the syslog service:

*.debug /tmp/debug.log

ℹ️

Note

Alternatively, you can log directly to a file, as the procedure to change the target illustrates. For more information, see Change the target.

Log levels can be changed temporarily or permanently.

To temporarily change the log level, you can use /opt/pbis/bin/lwsm to specify the log level and whether to log to the syslog or directly to a file.

To permanently change the log level, you must modify the service's entry in the AD Bridge registry.

The following log levels are available for most AD Bridge services:

  • always
  • debug
  • error (default)
  • warning
  • info
  • verbose
  • trace

To troubleshoot, we recommend that you change the level to debug. However, to conserve disk space, we recommend that you set the log level to the default level when you finish troubleshooting.

ℹ️

Note

The following are the pipes by which su, sudo, and local user (root) sshd logons are captured with the AD Bridge auditing system. They are system pipes created by the reapsysl service. AD Bridge cannot start the reapsysl service before syslog starts because of a complex series of dependencies on the system. Therefore, these errors are generated and should be ignored. Reapsysl will recreate the pipes as necessary.

robbie@example:~$ sudo ls -la /var/lib/pbis/syslog-reaper/ total 28
drwx------ 2 root root 4096 Mar  7 12:54 .
drwxr-xr-x 8 root root 4096 May 10 13:27 ..
prwx------ 1 root root    0 Mar  7 12:54 error
prwx------ 1 root root    0 Mar  7 12:54 information
prwx------ 1 root root    0 Mar  7 12:54 warning

Temporarily change the log level and target for a service

The service manager supports per-service, per-facility logging. Each service has a default log target (syslog) and level (WARNING).

Change the target

You can use the following command to change the log target for a particular service and facility to log to a file:

/opt/pbis/bin/lwsm set-log-target <service> <facility> file <path>

You can use the following command to change the log target for a particular service and facility to the syslog:

/opt/pbis/bin/lwsm set-log-target <service> <facility> syslog

The service can be any AD Bridge service except dcerpc, which has its own logging mechanism.

The facility is a portion of the service and the default facility is accessed as a hyphen (-). For example, to target the logging messages from default facility of lsass to a file /var/log/lsass.log:

/opt/pbis/bin/lwsm set-log-target lsass - file /var/log/lsass.log

If you want to debug the interprocess communications of lsass (something rarely required), you can use the lsass-ipc facility:

/opt/pbis/bin/lwsm set-log-target lsass lsass-ipc file /tmp/lsass-ipc.log

Change the log level

To change the level of logging in the default facility of lsass to debug:

/opt/pbis/bin/lwsm set-log-level lsass – debug

The supported log levels are:

  • always
  • error
  • warning
  • info
  • verbose
  • debug
  • trace

Changing the log level temporarily can help you isolate and capture information when a command or operation fails. For example, if you run a command and it fails, you can change the log level and then run the command again to get information about the failure.

View log settings

To view the current level and target of logging of a service, enter the following command:

/opt/pbis/bin/lwsm get-log <service>

For example, entering the following command

/opt/pbis/bin/lwsm get-log lsass

produces the following result

<default>: syslog LOG_DAEMON at ERROR

This indicates that the lsass service's default log level is error and is directed to syslog’s daemon facility.

Generate a domain-join log for AD Bridge

To help troubleshoot problems with joining a domain, you can use the command-line utility's logfile option with the join command. The logfile option captures information about the attempt to join the domain on the screen or in a file. When an attempt to join a domain fails, a log is generated by default at /var/log/domainjoin-cli.log or /var/adm/domainjoin-cli.log.

To display the information in the terminal, execute the following command; the dot after the logfile option denotes that the information is to be shown in the console:

domainjoin-cli --logfile . join domainName userName

To save the information in a log file, execute the following command:

domainjoin-cli --logfile path join domainName userName

Example

domainjoin-cli --logfile /var/log/domainjoin.log join example.com Administrator

Generate a PAM debug log for AD Bridge

You can set the level of reporting in the PAM debug log for the AD Bridge authentication service on a Linux or Unix computer. PAM stands for pluggable authentication modules.

The log levels are:

  • disabled
  • error
  • warning
  • info
  • verbose

The logged data is sent to your system's syslog message repository for security and authentication. The location of the repository varies by operating system.

Here are the typical locations for a few platforms:

  • Ubuntu: /var/log/auth.log
  • Red Hat: /var/log/secure
  • Solaris: Check the syslog.conf file or rsyslog.conf file

The following procedure demonstrates how to change the value of the PAM key's LogLevel entry with the config command-line utility.

  1. Use the details option to list the values that the PAMLogLevel setting accepts:
/opt/pbis/bin/config --details PAMLogLevel
Name: PAMLogLevel
Description: Configure PAM lsass logging detail level
Type: string
Current Value: "disabled"
Acceptable Value: "disabled"
Acceptable Value: "error"
Acceptable Value: "warning"
Acceptable Value: "info"
Acceptable Value: "verbose"
Current Value is determined by local policy.
  1. As root change the setting to error so that AD Bridge will log PAM errors:
/opt/pbis/bin/config PAMLogLevel error
  1. Confirm that the change took effect:
/opt/pbis/bin/config --show PAMLogLevel
string
error
local policy

For more information on the arguments of config, run the following command:

/opt/pbis/bin/config --help

Generate a network trace in a session

Execute the following command in a separate session to dump network traffic as the root user and interrupt the trace with CTRL-C:

tcpdump -s 0 -i eth0 -w trace.pcap

The result should look something like this:

tcpdump: listening on eth0
28 packets received by filter
0 packets dropped by kernel

Generate log service startup failures

Generate debug logging when the service manager (lwsm) or registry service (lwreg) do not start properly.

  1. Define and export the PBIS_DEBUG_BOOTSTRAP environment variable:
export PBIS_DEBUG_BOOTSTRAP=1
  1. To ensure the service manager sees the defined environment variable, manually start the service manager as other mechanisms for starting lwsmd may not pass on the defined environment variable.
/opt/pbis/sbin/lwsmd --start-as-daemon
  1. To stop debugging unset the PBIS_DEBUG_BOOTSTRAP variable:
/opt/pbis/bin/lwsm shutdown
unset PBIS_DEBUG_BOOTSTRAP
/opt/pbis/sbin/lwsmd --start-as-daemon

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.