Logger Configuration¶
- Table of contents
- Logger Configuration
By default, the IKE daemon charon logs via syslog(3)
using the LOG_AUTHPRIV
(only messages on log level 0) and LOG_DAEMON
(all log levels) facilities. The default log level for all subsystems is 1.
Where the log messages eventually end up depends on how syslog is configured on your system. Common places are /var/log/daemon
, /var/log/syslog
, or /var/log/messages
.
Unlike charon, charon-systemd logs to the systemd journal and not syslog, by default. The log levels are configurable in a separate section in strongswan.conf, which is not described here.
Levels and Subsystems/Groups¶
The IKE daemon knows different numerical levels of logging, ranging from -1 to 4:
- -1: Absolutely silent
- 0: Very basic auditing logs, (e.g. SA up/SA down)
- 1: Generic control flow with errors, a good default to see whats going on
- 2: More detailed debugging control flow
- 3: Including RAW data dumps in hex
- 4: Also include sensitive material in dumps, e.g. keys
Each logging message also has a source from which subsystem in the daemon the log came from:
- app: applications other than daemons
- asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
- cfg: Configuration management and plugins
- chd: CHILD_SA/IPsec SA
- dmn: Main daemon setup/cleanup/signal handling
- enc: Packet encoding/decoding encryption/decryption operations
- esp: libipsec library messages
- ike: IKE_SA/ISAKMP SA
- imc: Integrity Measurement Collector
- imv: Integrity Measurement Verifier
- job: Jobs queuing/processing and thread pool management
- knl: IPsec/Networking kernel interface
- lib: libstrongwan library messages
- mgr: IKE_SA manager, handling synchronization for IKE_SA access
- net: IKE network communication
- pts: Platform Trust Service
- tls: libtls library messages
- tnc: Trusted Network Connect
Configuration Files¶
Configuration in strongswan.conf¶
Since 4.2.9 strongSwan provides a flexible configuration of the loggers in strongswan.conf. Logger configurations in strongswan.conf have a higher priority than the legacy loggers configured via charondebug in ipsec.conf: If you define any loggers in strongswan.conf, charondebug does not have any effect at all.
There currently are two types of loggers defined:- File loggers: Log directly into a file
- Syslog loggers: Log into a syslog facility
Multiple loggers can be set up for each type, with different log verbosity for the different subsystems of the daemon.
Since 5.0.2 the logger configuration is reloaded if the daemon receives a SIGHUP
, which causes the daemon to reload strongswan.conf and the plugins (since 5.5.2 this also works for charon-systemd). Besides changing the configuration this allows to easily rotate log files created by file loggers without having to restart the daemon. Since 5.5.2 VICI/swanctl's reload-settings command also reloads the loggers, so it now has the same functionality as sending a SIGHUP
.
The following options are supported for each logger:
Key | Default | Description |
---|---|---|
File loggers | ||
<name> is an arbitrary name if path is specified, or either an absolute file path in the filesystem or one of stdout, or stderr Important: Since 5.7.0 section names can't contain dots or colons, to specify such paths use the path setting in an arbitrarily named section |
||
charon.filelog.<name>.path | The absolute path to the log file (or stderr/stdout). Since 5.7.0. | |
charon.filelog.<name>.default | 1 | Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. |
charon.filelog.<name>.<subsystem> | <default> | Loglevel for a specific subsystem. |
charon.filelog.<name>.append | yes | If this option is enabled log entries are appended to the existing file. |
charon.filelog.<name>.flush_line | no | Enabling this option disables block buffering and enables line buffering. That is, a flush to disk is enforced for each logged line. |
charon.filelog.<name>.ike_name | no | Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. |
charon.filelog.<name>.time_format | Prefix each log entry with a timestamp. The option accepts a format string as passed to strftime(3). | |
charon.filelog.<name>.time_add_ms | no | Adds the milliseconds within the current second after the timestamp (separated by a dot, so time_format should end with %S or %T) |
Syslog loggers | ||
charon.syslog.identifier | Global identifier used for an openlog(3) call, prepended to each log message by syslog. If not configured, openlog(3) is not called, so the value will depend on system defaults (often the program name). |
|
<facility> is one of auth, or daemon | ||
charon.syslog.<facility>.default | 1 | Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. |
charon.syslog.<facility>.<subsystem> | <default> | Loglevel for a specific subsystem. |
charon.syslog.<facility>.ike_name | no | Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. |
An example configuration might look like this:
charon { # two defined file loggers filelog { charon { # path to the log file, specify this as section name in versions prior to 5.7.0 path = /var/log/charon.log # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems default = 2 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 knl = 3 } } # and two loggers using syslog syslog { # prefix for each log message identifier = charon-custom # use default settings to log to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } } # ... }
Configuration in ipsec.conf¶
The setup section in ipsec.conf knows the charondebug keyword, which contains a comma separated list of subsystem level pairs, e.g:
charondebug="ike 2, knl 3, cfg 0"
Runtime Configuration¶
As mentioned above, the log levels configured in strongswan.conf may be reloaded at runtime by sending a SIGHUP
(or reload-settings VICI command) to the daemon.
The legacy stroke tool also provides a command to change the log levels while the daemon is running, e.g.:
# ipsec stroke loglevel ike 2
To disable logging with -1
, argument parsing in stroke has to be terminated first, e.g.:
# ipsec stroke loglevel ike -- -1
Compile Time Configuration¶
Debug statements can be stripped from the binaries during compile time. Define DEBUG_LEVEL to the maximum level you want to include, for instance
CFLAGS="-DDEBUG_LEVEL=1"
to include logging messages of level 0 and 1 only.
Other Logging Backends¶
- charon-systemd logs to the systemd journal by default
- The VICI plugin provides a
log
event that delivers log messages (swanctl's--log
command subscribes to it) - The SQL plugin supports logging to a database (if enabled via charon.plugins.sql.loglevel)
- Custom plugins may register their own implementation of the
logger_t
interface (source:src/libcharon/bus/listeners/logger.h) with the bus (source:src/libcharon/bus/bus.h#L214)
Performance Consideration¶
Some parts of the logging system of charon are currently synchronized (e.g. to ensure multi-line log messages are logged together). If performance is critical, reduce the compiled in debugging level and reduce loggers to a minimum. Depending on your syslog configuration, syslog calls are very expensive if they flush everything to disk. Logging directly to a file might be a lot faster, especially if you are running charon on multiple cores.