Project

General

Profile

Logger Configuration

By default, the IKE daemon charon logs via syslog(3) using the LOG_AUTHPRIV (only messages on log level 0) and LOG_DAEMON (all log levels) facilities. The default log level for all subsystems is 1.

Where the log messages eventually end up depends on how syslog is configured on your system. Common places are /var/log/daemon, /var/log/syslog, or /var/log/messages.

Unlike charon, charon-systemd logs to the systemd journal and not syslog, by default. The log levels are configurable in a separate section in strongswan.conf, which is not described here.

Levels and Subsystems/Groups

The IKE daemon knows different numerical levels of logging, ranging from -1 to 4:

  • -1: Absolutely silent
  • 0: Very basic auditing logs, (e.g. SA up/SA down)
  • 1: Generic control flow with errors, a good default to see whats going on
  • 2: More detailed debugging control flow
  • 3: Including RAW data dumps in hex
  • 4: Also include sensitive material in dumps, e.g. keys

Each logging message also has a source from which subsystem in the daemon the log came from:

  • app: applications other than daemons
  • asn: Low-level encoding/decoding (ASN.1, X.509 etc.)
  • cfg: Configuration management and plugins
  • chd: CHILD_SA/IPsec SA
  • dmn: Main daemon setup/cleanup/signal handling
  • enc: Packet encoding/decoding encryption/decryption operations
  • esp: libipsec library messages
  • ike: IKE_SA/ISAKMP SA
  • imc: Integrity Measurement Collector
  • imv: Integrity Measurement Verifier
  • job: Jobs queuing/processing and thread pool management
  • knl: IPsec/Networking kernel interface
  • lib: libstrongwan library messages
  • mgr: IKE_SA manager, handling synchronization for IKE_SA access
  • net: IKE network communication
  • pts: Platform Trust Service
  • tls: libtls library messages
  • tnc: Trusted Network Connect

Configuration Files

Configuration in strongswan.conf

Since 4.2.9 strongSwan provides a flexible configuration of the loggers in strongswan.conf. Logger configurations in strongswan.conf have a higher priority than the legacy loggers configured via charondebug in ipsec.conf: If you define any loggers in strongswan.conf, charondebug does not have any effect at all.

There currently are two types of loggers defined:
  • File loggers: Log directly into a file
  • Syslog loggers: Log into a syslog facility

Multiple loggers can be set up for each type, with different log verbosity for the different subsystems of the daemon.

Since 5.0.2 the logger configuration is reloaded if the daemon receives a SIGHUP, which causes the daemon to reload strongswan.conf and the plugins (since 5.5.2 this also works for charon-systemd). Besides changing the configuration this allows to easily rotate log files created by file loggers without having to restart the daemon. Since 5.5.2 VICI/swanctl's reload-settings command also reloads the loggers, so it now has the same functionality as sending a SIGHUP.

The following options are supported for each logger:

Key Default Description
File loggers
<filename> is either a file in the filesystem or one of stdout, or stderr
charon.filelog.<filename>.default 1 Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined.
charon.filelog.<filename>.<subsystem> <default> Loglevel for a specific subsystem.
charon.filelog.<filename>.append yes If this option is enabled log entries are appended to the existing file.
charon.filelog.<filename>.flush_line no Enabling this option disables block buffering and enables line buffering. That is, a flush to disk is enforced for each logged line.
charon.filelog.<filename>.ike_name no Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA.
charon.filelog.<filename>.time_format Prefix each log entry with a timestamp. The option accepts a format string as passed to strftime(3).
charon.filelog.<filename>.time_add_ms no Adds the milliseconds within the current second after the timestamp (separated by a dot, so time_format should end with %S or %T)
Syslog loggers
charon.syslog.identifier Global identifier used for an openlog(3) call, prepended to each log message by syslog.
If not configured, openlog(3) is not called, so the value will depend on system defaults (often the program name).
<facility> is one of auth, or daemon
charon.syslog.<facility>.default 1 Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined.
charon.syslog.<facility>.<subsystem> <default> Loglevel for a specific subsystem.
charon.syslog.<facility>.ike_name no Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA.

An example configuration might look like this:

charon {
    # two defined file loggers
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # prepend connection name, simplifies grepping
            ike_name = yes
            # overwrite existing files
            append = no
            # increase default loglevel for all daemon subsystems
            default = 2
            # flush each line to disk
            flush_line = yes
        }
        stderr {
            # more detailed loglevel for a specific subsystem, overriding the
            # default loglevel.
            ike = 2
            knl = 3
        }
    }
    # and two loggers using syslog
    syslog {
        # prefix for each log message
        identifier = charon-custom
        # use default settings to log to the LOG_DAEMON facility
        daemon {
        }
        # very minimalistic IKE auditing logs to LOG_AUTHPRIV
        auth {
            default = -1
            ike = 0
        }
    }
    # ...
}

Configuration in ipsec.conf

The setup section in ipsec.conf knows the charondebug keyword, which contains a comma separated list of subsystem level pairs, e.g:

charondebug="ike 2, knl 3, cfg 0"

Runtime Configuration

As mentioned above, the log levels configured in strongswan.conf may be reloaded at runtime by sending a SIGHUP (or reload-settings VICI command) to the daemon.

The legacy stroke tool also provides a command to change the log levels while the daemon is running, e.g.:

# ipsec stroke loglevel ike 2

To disable logging with -1, argument parsing in stroke has to be terminated first, e.g.:

# ipsec stroke loglevel ike -- -1

Compile Time Configuration

Debug statements can be stripped from the binaries during compile time. Define DEBUG_LEVEL to the maximum level you want to include, for instance

CFLAGS="-DDEBUG_LEVEL=1"

to include logging messages of level 0 and 1 only.

Other Logging Backends

Performance Consideration

Some parts of the logging system of charon are currently synchronized (e.g. to ensure multi-line log messages are logged together). If performance is critical, reduce the compiled in debugging level and reduce loggers to a minimum. Depending on your syslog configuration, syslog calls are very expensive if they flush everything to disk. Logging directly to a file might be a lot faster, especially if you are running charon on multiple cores.