|
The nfslogd daemon provides operational logging
to the Solaris NFS server. It is the nfslogd daemon's job to generate the activity log by analyzing the RPC operations processed by the the NFS server.
The log will only be generated for file systems exported with logging enabled.
This is specified at file system export time by means of the share_nfs(1M)
command.
Each record in the log file includes a time stamp, the IP address (or hostname if it can be resolved) of the client system,
the file or directory name the operation was performed on, and the type
of operation. In the basic format, the operation can either be an input
(i) or output (o) operation. The basic format of the NFS
server log is compatible with the log format generated by the Washington
University FTPd daemon. The log format can be extended
to include directory modification operations, such as mkdir, rmdir, and remove. The extended format is
not compatible with the Washington University FTPd daemon
format. See nfslog.conf(4)
for details.
The NFS server logging mechanism is divided in
two phases. The first phase is performed by the NFS kernel
module, which records raw RPC requests and their results
in work buffers backed by permanent storage. The location of the work buffers
is specified in the /etc/nfs/nfslog.conf file. Refer
to nfslog.conf(4)
for more information. The second phase involves the nfslogd
user-level daemon, which periodically reads the work buffers, interprets
the raw RPC information, groups related RPC operations into single transaction records, and generates the
output log. The nfslogd daemon then sleeps waiting for
more information to be logged to the work buffers. The amount of time that
the daemon sleeps can be configured by modifying the IDLE_TIME parameter in /etc/default/nfslogd. The
work buffers are intended for internal consumption of the nfslogd daemon.
NFS operations use file handles as arguments instead
of path names. For this reason the nfslogd daemon needs
to maintain a database of file handle to path mappings in order to log the
path name associated with an operation instead of the corresponding file
handle. A file handle entry is added to the database when a client performs
a lookup or other NFS operation that returns a file handle
to the client.
Once an NFS client obtains a file handle from a
server, it can hold on to it for an indefinite time, and later use it as
an argument for an NFS operation on the file or directory.
The NFS client can use the file handle even after the
server reboots. Because the database needs to survive server reboots, it
is backed by permanent storage. The location of the database is specified
by the fhtable parameter in the /etc/nfs/nfslog.conf file. This database is intended for the internal use of the nfslogd daemon.
In order to keep the size of the file handle mapping database manageable, nfslogd prunes the database periodically. It removes file handle
entries that have not been accessed in more than a specified amount of time.
The PRUNE_TIMEOUT configurable parameter in /etc/default/nfslogd specifies the interval length between successive
runs of the pruning process. A file handle record will be removed if it
has not been used since the last time the pruning process was executed.
Pruning of the database can effectively be disabled by setting the PRUNE_TIMEOUT as high as INT_MAX.
When pruning is enabled, there is always a risk that a client may
have held on to a file handle longer than the PRUNE_TIMEOUT
and perform an NFS operation on the file handle after
the matching record in the mapping database had been removed. In such case,
the pathname for the file handle will not be resolved, and the log will
include the file handle instead of the pathname.
There are various configurable parameters that affect the behavior
of the nfslogd daemon. These parameters are found in /etc/default/nfslogd and are described below:
-
UMASK
- Sets
the file mode for the log files, work buffer files and file handle mapping
database.
-
MIN_PROCESSING_SIZE
- Specifies the minimum size, in bytes, that the buffer file
must reach before processing the work information and writing to the
log file. The value of MIN_PROCESSING_SIZE
must be between 1 and ulimit.
-
IDLE_TIME
- Specifies the amount of time, in seconds, the daemon should sleep while
waiting for more information to be placed in the buffer file. IDLE_TIME also determines how often the configuration file will
be reread. The value of IDLE_TIME must be between
1 and INT_MAX.
-
MAX_LOGS_PRESERVE
- The nfslogd periodically cycles its logs. MAX_LOGS_PRESERVE specifies the maximum number of log files to
save. When MAX_LOGS_PRESERVE is reached, the oldest files
will be overwritten as new log files are created. These files will be
saved with a numbered extension, beginning with filename.0.
The oldest file will have the highest numbered extension up to the value
configured for MAX_LOGS_PRESERVE. The value of MAX_LOGS_PRESERVE must be between 1 and INT_MAX.
-
CYCLE_FREQUENCY
- Specifies how often, in hours, the log files are cycled. CYCLE_FREQUENCY is used to insure that the log files do not
get too large. The value of CYCLE_FREQUENCY must
be between 1 and INT_MAX.
-
MAPPING_UPDATE_INTERVAL
- Specifies the time interval, in seconds, between updates
of the records in the file handle to path mapping tables. Instead of updating
the atime of a record each time that record is accessed,
it is only updated if it has aged based on this parameter. The record
access time is used by the pruning routine to determine whether the record
should be removed from the database. The value of this parameter must
be between 1 and INT_MAX.
-
PRUNE_TIMEOUT
- Specifies when a database record times out, in hours. If the time
that elapsed since the record was last accessed is greater than PRUNE_TIMEOUT then the record can be pruned from the database.
The default value for PRUNE_TIMEOUT is 168 hours (7
days). The value of PRUNE_TIMEOUT must be between 1
and INT_MAX.
|