Covering J2EE Security and WebLogic Topics

WebLogic Embedded LDAP Logging

I recently wrote about WebLogic’s Embedded LDAP server and gave some details and tricks that you might find useful. What I didn’t cover was the logging capabilities of the embedded LDAP server. I’m going to rectify that oversight with this post. I also added the content below to the original post called “WebLogic Embedded LDAP.”

Embedded LDAP has log files for debug output and access events. The location and name of these files is set in the <domain_dir>/myserver/ldap/conf/vde.props file. Among other settings, in that file you will find

vde.logfile=log/EmbeddedLDAP.log
vde.accesslogfile=log/EmbeddedLDAPAccess.log

where vde.logfile points to the debug log and vde.accesslogfile points to the access log. You can change these entries if you’d like, but you’ll find the default log files in the <domain_dir>/myserver/ldap/log directory.

Now, if you check your domain for these files, you’ll find that they are there but that perhaps there’s nothing in them. The reason is that they are only written to under certain conditions.

The access log file is only written to when the access is from an external client. A WebLogic server calling its own embedded LDAP does not count. If you use an LDAP browser to view the contents of the embedded LDAP, for example, all accesses from the browser will be logged in the access log as you’d expect.

The debug log file is only written to when certain debug flags are set. To enable debug output, add the following stanza to the server element in config.xml:

<serverdebug DebugEmbeddedLDAP="true"
             DebugEmbeddedLDAPLogToConsole="true"
             DebugEmbeddedLDAPLogLevel="9"
             Name="myserver"/>

The DebugEmbeddedLDAP element toggles LDAP debugging. When toggled on, the output goes to the log file defined in vde.props. The DebugEmbeddedLDAPLogToConsole optionally sends the same output to WebLogic’s standard out. Finally, DebugEmbeddedLDAPLogLevel sets the level of the events to log. The possible level values are:

  • 0 = errors only
  • 5 = normal
  • 7 = verbose
  • 9 = very verbose

You’ll need to change the Name attribute if your WebLogic server name is not “myserver.” After adding the debug flags to config.xml you’ll have to restart WebLogic for the changes to take effect.

How useful are these log files?

The access log can be very useful when you have external clients accessing embedded LDAP. The logging is just like what you’d find in an iPlanet LDAP server access log. On the other hand, the debug log file is not very useful at all. But for those exceedingly rare times when you need log output from embedded LDAP, it’s nice to know that you can get it.