Tribblix: manual page: nfslogd.8

NFSLOGD(8) Maintenance Commands and Procedures NFSLOGD(8)

NAME

nfslogd - nfs logging daemon

SYNOPSIS

/usr/lib/nfs/nfslogd

DESCRIPTION

The nfslogd daemon provides operational logging to the Solaris NFS
server. It is the nfslogd daemon's job to generate the activity log
by analyzing the RPC operations processed by the NFS server. The log
will only be generated for file systems exported with logging
enabled. This is specified at file system export time by means of the
share_nfs(8) command.

NFS server logging is not supported on Solaris machines that are
using NFS Version 4.

Each record in the log file includes a time stamp, the IP address (or
hostname if it can be resolved) of the client system, the file or
directory name the operation was performed on, and the type of
operation. In the basic format, the operation can either be an input
(i) or output (o) operation. The basic format of the NFS server log
is compatible with the log format generated by the Washington
University FTPd daemon. The log format can be extended to include
directory modification operations, such as mkdir, rmdir, and remove.
The extended format is not compatible with the Washington University
FTPd daemon format. See nfslog.conf(5) for details.

The NFS server logging mechanism is divided in two phases. The first
phase is performed by the NFS kernel module, which records raw RPC
requests and their results in work buffers backed by permanent
storage. The location of the work buffers is specified in the
/etc/nfs/nfslog.conf file. Refer to nfslog.conf(5) for more
information. The second phase involves the nfslogd user-level daemon,
which periodically reads the work buffers, interprets the raw RPC
information, groups related RPC operations into single transaction
records, and generates the output log. The nfslogd daemon then sleeps
waiting for more information to be logged to the work buffers. The
amount of time that the daemon sleeps can be configured by modifying
the IDLE_TIME parameter in /etc/default/nfslogd. The work buffers are
intended for internal consumption of the nfslogd daemon.

NFS operations use file handles as arguments instead of path names.
For this reason the nfslogd daemon needs to maintain a database of
file handle to path mappings in order to log the path name associated
with an operation instead of the corresponding file handle. A file
handle entry is added to the database when a client performs a lookup
or other NFS operation that returns a file handle to the client.

Once an NFS client obtains a file handle from a server, it can hold
on to it for an indefinite time, and later use it as an argument for
an NFS operation on the file or directory. The NFS client can use the
file handle even after the server reboots. Because the database needs
to survive server reboots, it is backed by permanent storage. The
location of the database is specified by the fhtable parameter in the
/etc/nfs/nfslog.conf file. This database is intended for the internal
use of the nfslogd daemon.

In order to keep the size of the file handle mapping database
manageable, nfslogd prunes the database periodically. It removes file
handle entries that have not been accessed in more than a specified
amount of time. The PRUNE_TIMEOUT configurable parameter in
/etc/default/nfslogd specifies the interval length between
successive runs of the pruning process. A file handle record will
be removed if it has not been used since the last time the pruning
process was executed. Pruning of the database can effectively be
disabled by setting the PRUNE_TIMEOUT as high as INT_MAX.

When pruning is enabled, there is always a risk that a client may
have held on to a file handle longer than the PRUNE_TIMEOUT and
perform an NFS operation on the file handle after the matching record
in the mapping database had been removed. In such case, the pathname
for the file handle will not be resolved, and the log will include
the file handle instead of the pathname.

There are various configurable parameters that affect the behavior of
the nfslogd daemon. These parameters are found in
/etc/default/nfslogd and are described below:

UMASK
Sets the file mode for the log files, work
buffer files and file handle mapping
database.

MIN_PROCESSING_SIZE
Specifies the minimum size, in bytes, that
the buffer file must reach before
processing the work information and
writing to the log file. The value of
MIN_PROCESSING_SIZE must be between 1 and
ulimit.

IDLE_TIME
Specifies the amount of time, in seconds,
the daemon should sleep while waiting for
more information to be placed in the
buffer file. IDLE_TIME also determines how
often the configuration file will be
reread. The value of IDLE_TIME must be
between 1 and INT_MAX.

MAX_LOGS_PRESERVE
The nfslogd periodically cycles its logs.
MAX_LOGS_PRESERVE specifies the maximum
number of log files to save. When
MAX_LOGS_PRESERVE is reached, the oldest
files will be overwritten as new log files
are created. These files will be saved
with a numbered extension, beginning with
filename.0. The oldest file will have the
highest numbered extension up to the value
configured for MAX_LOGS_PRESERVE. The
value of MAX_LOGS_PRESERVE must be between
1 and INT_MAX.

CYCLE_FREQUENCY
Specifies how often, in hours, the log
files are cycled. CYCLE_FREQUENCY is used
to insure that the log files do not get
too large. The value of CYCLE_FREQUENCY
must be between 1 and INT_MAX.

MAPPING_UPDATE_INTERVAL
Specifies the time interval, in seconds,
between updates of the records in the file
handle to path mapping tables. Instead of
updating the atime of a record each time
that record is accessed, it is only
updated if it has aged based on this
parameter. The record access time is used
by the pruning routine to determine
whether the record should be removed from
the database. The value of this parameter
must be between 1 and INT_MAX.

PRUNE_TIMEOUT
Specifies when a database record times
out, in hours. If the time that elapsed
since the record was last accessed is
greater than PRUNE_TIMEOUT then the record
can be pruned from the database. The
default value for PRUNE_TIMEOUT is 168
hours (7 days). The value of PRUNE_TIMEOUT
must be between 1 and INT_MAX.

EXIT STATUS

The following exit values are returned:

0
Daemon started successfully.

1
Daemon failed to start.

FILES

/etc/nfs/nfslogtab

/etc/nfs/nfslog.conf

/etc/default/nfslogd

NOTES