Info: Venafi Agent Logging

Logging for the Venafi Agent can be configured in two places-On the device and on the Venafi Director server. 
Here are the severity levels:
  • debug (threshold 8)
  • informational (threshold 7)
  • notice (threshold 6)
  • warning (threshold 5)
  • error (threshold 4)
  • critical (threshold 3)
  • alert (threshold 2)
  • emergency (threshold 1)  
The resulting severity level is determined by either configuration settings or a command line override.  Once an event is triggered, and it's threshold is less than (or equal to) the threshold of the event, then it is stored in the Windows event log (or host operating systems syslog) ; otherwise, it is suppressed, ignored or discarded.

Three types of events

During startup, we will see three types of events.

  • allocating memory in advance to read the product's configuration,
  • reading the configuration keys
  • acting  on the values that have been read. 
A failure in any of these actions would trigger an event with a certain logging threshold. Consider the action of reading a configuration key to find out what the logging threshold should be, but this key is not set.

An event of the below string would be generated with the severity of debug

logging threshold not set  

However, what if the action to open the configuration database itself failed?  Then the event below would be generated with below text, with a severity of error.

open configuration database failed


Finally, neither of these actions would even be attempted if the initial action of allocating memory for opening and reading the configuration database failed. In this case the below event would be generated, with a severity of critical:

out of memory


How to configure the thresholds:

The available thresholds are exposed in the Windows User interface, as shown below. These values will be set on the agent after it 'phones home' unless it's been set on the command line. 



NOTE: the current  agent contains three modules, and each has their own logging level.  All of which needs to be allocated a threshold to precisely set the overall logging on the agent.  

The modules are:

  • "Base Agent"
  • "Cert Scanner" (AKA KeyStore Scanner)
  • "SSH scanner"

To reduce the logging chatter one should lower the level on all the active
modules. IE:
From Agent command line, you can use these commands:
./vagent -m logging=critical
./vagent -n sshscanner logging=critical
./vagent -n ksscanner logging=critical

Or use the appropriate UI control from Win or Web admin, as per the above screenshot.

TIP: The agent's configuration will only change after it makes contact with the Director services, at it's allotted time.  

 How to list out the current configuration of the agent:

From the agent command line, use this command:

./vagent -l all 


Was this article helpful?
0 out of 0 found this helpful