Nexus OCSP Responder can work in an environment that includes a built-in system monitor – a supervisor. This article describes how to specify a Nexus OCSP Responder agent that sends signals to and receives signals from the supervisor. This is done in the "System management" section of the Nexus OCSP Responder configuration file.
...
| title | Specify agent |
|---|
In the OCSP configuration file, specify the agent as follows:
| Code Block |
|---|
agent.supervisor.host=<host>
agent.supervisor.port=<port>
agent.supervisor.connect=[true|false |
Description of constants and values:
...
Replace <host> with the name of the supervisor host.
Default: localhost
...
Replace <port> with the number of the port the agent should listen to.
Default: 9099
...
true | false
...
Enter true to connect, false not to connect Nexus OCSP Responder to the supervisor.
Default: false
...
| title | Specify agent logging items |
|---|
Locally, the agent listens to all log messages. You can separate different logging items into different output units.
In the OCSP configuration file, specify a type for each logging item as follows:
| Code Block |
|---|
agent.log.<#>.type=[file|stderr|syslog] |
...
file | stderr | syslog
...
Enter file to let all logging items be written to a file. You have to add certain specifications. See below.
Enter stderr to let all logging items be written to stderr. If Nexus OCSP Responder is started in a terminal window, the logging items will be displayed in this window.
| Note |
|---|
If Nexus OCSP Responder is started as a Windows service anything written to stderr will be lost. |
...
Enter syslog to let all logging items be written to syslog. It is possible for Windows to log to syslog on a remote UNIX host. Remote syslog logging must be enabled on the syslog host.
For each agent log with ...type=file, specify the following:
| Code Block |
|---|
agent.log.<#>.prefix=<directory>/<filename>
agent.log.<#>.period=<time expr> |
Description of constants and values:
...
<directory>
...
Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also section “Specify OCSP Client Request” in Back end client section). After this amount of time, the logger will create a new file.
Default: P1D
...
| Code Block |
|---|
agent.log.1.prefix=log/oper
agent.log.1.period=P1W |
This creates a file: <installdir>/log/oper-YYMMDD-HHMMSS.log. A new file is created each week.
For each agent log with ...type=syslog, specify the following:
| Code Block |
|---|
agent.log.<#>.host=<host>
agent.log.<#>.port=<port>
agent.log.<#>.facility=<facility> |
Description of constants and values:
...
<host>
...
Replace <host> with the name of the syslog host.
Default: localhost
...
Replace <port> with the port to use on the syslog host.
Default: 514
...
Replace <facility> by the syslog facility to be used for the Nexus OCSP Responder logging.
Default: local7
...
| title | Apply filters to logging items |
|---|
You can apply filters to the logging items to further fine tune the output.
...
| Code Block |
|---|
agent.log.<#>.filter=<log msg properties> |
See this table for description of constants and values:
...
<log msg properties>
...
Examples
| Code Block |
|---|
agent.log.1.filter=class=oper & severity>3 |
...
| Code Block |
|---|
agent.log.2.type=file
agent.log.2.prefix=log/ocsp-warnings
agent.log.2.filter=class=oper & severity=3 |
...
| Note |
|---|
The parsing can also be done on all log files without any filter. |
...
| title | Split audit logs into different log files |
|---|
The Nexus OCSP responder supports three different audit logs, see Log messages and log filters. To filter out and split different audit logs into different log files, specify as follows in the OCSP configuration file:
| Code Block |
|---|
agent.log.3.type=file
agent.log.3.prefix=log/audit-pkiStateAltered
agent.log.3.filter=class=audit.pkiStateAltered
agent.log.4.type=file
agent.log.4.prefix=log/audit-incoming-outgoing
agent.log.4.filter=class=audit.ocspQuery | class="audit".ocspResponse |
| Note |
|---|
If you only specify "audit" inside the class parameter, it will filter all audit log classes (that is, |
...
| title | Configure fields to be displayed in a logger agent |
|---|
You can configure which fields that should be displayed in a logger agent. In the OCSP configuration file, specify as follows:
| Code Block |
|---|
agent.log.<#>.format.fields={<field>} {<field>} ... {<field>} |
See this table for description of constants and values:
...
<field>
...
Replace <field> with any of the following supported fields:
date - log date (default yyyy-MM-dd:HH:mm:ss.SSS)class - log class (for example, audit, trace)severity - log severitythread - log thread nametransactionId - log transaction ID of a client requestmessage - log message
You can also manipulate how a field will behave when used by the logger agent, for example, offset and length. To do this:
- Specify integers on defined positions separated by a comma after a colon inside the curly brackets, such as {
field:width,offset,length:novalue}, where:field- [string] the field name, for example,datewidth- [integer] minimum width, default 1 or specified lengthoffset- [integer] offset from start or offset from end if negative, default 0length- [integer] maximum length, default unlimited (0)novalue- [string] replacement string if no value exists for the provided field (default is ' - ') - To insert a line break after a field, use the keyword
%s.
Example:
| Code Block |
|---|
agent.log.1.format.fields={date} {class} {transactionId:5,,28:{thread}} {message} %s |
...
| title | Define default global configurations for all agent loggers |
|---|
Set the loggerdef parameter to define default global configurations for all agent loggers configured in your system. This can be useful if you want to specify filters or a field format that should be applied globally across all agents. If a logger agent specify the same parameter but with an another setting, the global setting will be overridden for that agent.
Example:
| Code Block |
|---|
;; Global settings
agent.log.loggerdef.encoding=ISO-8859-1
agent.log.loggerdef.format.date=[yyyy/MM/dd:HH:mm:ss.SSS]
agent.log.loggerdef.filedate=yyMMdd
agent.log.loggerdef.offset=T0H
agent.log.loggerdef.period=P1D
agent.log.loggerdef.format.fields={date} {class} {transactionid:5,,28} {message}
agent.log.loggerdef.filter=!class=audit
;; Ocsp log (no audit log)
agent.log.1.type=file
agent.log.1.prefix=log/ocsp
;; Audit log for crl/cil updates
agent.log.2.type=file
agent.log.2.prefix=log/audit
agent.log.2.filter.class=audit.pkiStateAltered
;; Audit log for query and responses
agent.log.3.type=file
agent.log.3.prefix=log/audit-incoming-outgoing
agent.log.3.filter=class=audit.ocspQuery | class="audit".ocspResponse
agent.log.3.format.fields={date} {class} {severity} {transactionid} {message} %s |
Related information
- Configure Nexus OCSP Responder
- Log messages and log filters
- Nexus OCSP Responder
- ISO 8601 Representation of dates and times