Conjur logs

This topic describes how to access and configure Conjur logs.

Log access

This section describes how to access Conjur logs.

Log entries are aggregated and forwarded from syslog to a Docker log.

The default log level is info.

To access the Docker logs, run the following:

  
docker logs <Conjur-container-name>
 

To follow logs, add the -f option before the container name: docker logs -f <Conjur-container-name>

Log format

Log entries are formatted as follows:

  
[PRIORITY] [TIMESTAMP] [PROG ID] [SERVICE ID] [SEQUENCE ID] [MSG]

where

  • PROG ID is the name of the application service that sent the log message, for example, conjur, nginx, conjur-ui

  • SEQUENCE ID is the unique number assigned to the log operation

 

Messages from the conjur-possum service also include [ORIGIN] [REQUEST ID] [THREAD ID], where REQUEST ID is by default a random UUID, but can be overwritten via the X‑Request‑ID HTTP header provided during a REST API request.

Enable debug log messages

To view more detailed messages than those provided by default, set the CONJUR_LOG_LEVEL environment variable on each Conjur Server (Leader and Standbys) in your Conjur cluster to debug.

To set CONJUR_LOG_LEVEL to debug, run the following:

  
docker exec <Conjur-container-name> evoke variable set CONJUR_LOG_LEVEL debug
 

To troubleshoot Conjur Server configuration, add the --debug flag to the evoke configure command. For more information, see Troubleshoot Conjur Enterprise configuration.

Filter authentication errors

Some authentication errors are not returned in the authentication response, however, they are written to the logs.

To view these errors:

  1. Make sure that you can access the Docker log.

  2. Run the following command to filter for authentication errors:

      
    docker logs <container-name> | grep "Authentication Error"

Filter service logs

This section describes how to filter service logs.

For troubleshooting and process verification purposes, the following Conjur service logs are forwarded to the Docker log:

  • evoke

  • possum

  • ldap-sync

  • ui

  
docker logs <container-name> | grep conjur-<service-name>

For example:

  
docker logs <container-name> | grep conjur-evoke