History

UserDocumentation ยป

Logger configuration

Levels and types

The IKEv2 daemon knows different numerical levels of logging, ranging from -1 to 4:

  • -1: Absolutely silent
  • 0: Very basic auditing logs, (e.g. SA up/SA down)
  • 1: Generic control flow with errors, a good default to see whats going on
  • 2: More detailed debugging control flow
  • 3: Including RAW data dumps in Hex
  • 4: Also include sensitive material in dumps, e.g. keys

Each logging message also has a source from which subsystem in the daemon the log came from:

  • dmn: Main daemon setup/cleanup/signal handling
  • mgr: IKE_SA manager, handling synchronization for IKE_SA access
  • ike: IKE_SA
  • chd: CHILD_SA
  • job: Jobs queueing/processing and thread pool management
  • cfg: Configuration management and plugins
  • knl: IPsec/Networking kernel interface
  • net: IKE network communication
  • asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
  • enc: Packet encoding/decoding encryption/decryption operations
  • tls: libtls library messages
  • lib: libstrongwan library messages
  • tnc: Trusted Network Connect
  • imc: Integrity Measurement Collector
  • imv: Integrity Measurement Verifier
  • pts: Platform Trust Service

Configuration in ipsec.conf

The setup section in ipsec.conf knows the charondebug keyword, which contains a comma separated list of logtype loglevel pairs, e.g:

charondebug="ike 2, knl 3, cfg 0"

Runtime configuration

The stroke tool allows changes to the loglevel while the daemon is running, e.g.:

# ipsec stroke loglevel ike 2

Configuration in strongswan.conf

Starting with version 4.2.9, strongSwan provides a much more flexible configuration of the loggers. Logger configurations in strongswan.conf have a higher priority than in ipsec.conf: If you define any loggers in strongswan.conf, charondebug does not have any effect at all.

There currently are two types of loggers defined:
  • File loggers: Log directly into a file handle
  • Syslog loggers: Log into a syslog facility

Multiple loggers can be set up for each type, with different log verbosity for the different subsystems of the daemon. Both types accept a boolean ike_name option to prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. The time_format option works for file loggers only and accept a timestamp format string to prefix, as passed to strftime(3). The flush_line option for filelog targets enforces a flush to disk for each logged line.

Since 5.0.2 the logger configuration is reloaded if the daemon receives a SIGHUP. Besides changing the configuration this allows to easily rotate log files created by file loggers without having to restart the daemon.

An example configuration might look like this:

charon {
    # Two defined file loggers. Each subsection is either a file
    # in the filesystem or one of: stdout, stderr.
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open files in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults to 1).
            default = 1
            # flush each line to disk
            flush_line = yes
        }
        stderr {
            # more detailed loglevel for a specific subsystem, overriding the
            # default loglevel.
            ike = 2
            knl = 3
            # prepend connection name, simplifies grepping
            ike_name = yes
        }
    }
    # And two loggers using syslog. The subsections define the facility to log
    # to, currently one of: daemon, auth.
    syslog {
        # optional identifier used with openlog(3), prepended to each log message
        # by syslog. if not configured, openlog(3) is not called, so the value will
        # depend on system defaults (usually the program name)
        identifier = charon-custom
        # default level to the LOG_DAEMON facility
        daemon {
        }
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV
        auth {
            default = -1
            ike = 0
        }
    }
    # ...
}

Compile time configuration

Debug statements can be stripped from the binaries during compile time. Define DEBUG_LEVEL to the levels you want to include, e.g.:

CFLAGS="-DDEBUG_LEVEL=1"

to include logging messages of level 0 and 1 only.

Performance consideration

The logging system of charon currently uses synchronized access to the loggers. If performance is critical, reduce the compiled in debugging level and reduce loggers to a minimum. Depending on your syslog configuration, syslog calls are very expensive if they flush everything to disk. Logging directly to a file might be a lot faster, especially if you are running charon on multiple cores.