Configure Logging

By default, the CA ConnectorClosed The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client places its log files in the logs directory under the installed directory, generates logs at the Info logging level and stores logs for two days before deleting them. If you wish to change these defaults, follow the directions below for your installation type.

  1. On the Windows server where you wish to adjust logging, open a text editor (e.g. Notepad) using the “Run as administrator" option.

  2. In the text editor, browse to open the Nlog.config file for the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Connector Client. The file is located in the install directory, which is the following directory by default:

    C:\Program Files\Keyfactor\Keyfactor CA Connector

  3. Your Nlog.config file may have a slightly different layout than shown here, but it will contain the four fields highlighted in Figure 683: CA Connector Client on Windows NLog.config File. The fields you may wish to edit are:

    • The path and file name of the active CA Connector Client log file:

      fileName="C:\Program Files\Keyfactor\Keyfactor CA Connector\logs\CA_Connector_Log.txt"
      Important:  If you choose to change the path for storage of the log files, you will need to create the new directory (e.g. D:\ConnectorLogs) and grant the service account under which the CA Connector Client is running full control permissions on this directory.

    • The path and file name of previous days' CA Connector Client log files:

      archiveFileName="C:\Program Files\Keyfactor\Keyfactor CA Connector\logs\CA_Connector_Log_Archive_{#}.txt"

      The CA Connector Client rotates log files daily and names the previous files using this naming convention.

    • The number of archive files to retain before deletion.

      maxArchiveFiles="2"

    • The level of log detail that should be generated and output to the log file:

      name="*" minlevel="Info" writeTo="logfile"

      The default Info level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to Debug or Trace. Available log levels (in order of increasing verbosity) are:

      • OFF—No logging

      • FATAL—Log severe errors that cause early termination

      • ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

      • WARN—Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily "wrong"

      • INFO—Log all of the above plus runtime events (startup/shutdown)

      • DEBUG—Log all of the above plus detailed information on the flow through the system

      • TRACE—Maximum log information—this option can generate VERY large log files

Figure 683: CA Connector Client on Windows NLog.config File

  1. On the CA Connector Client machine where you wish to adjust logging, open a command shell and change to the directory in which the CA Connector Client is installed. By default this is /opt/keyfactor/ca-connector.
  2. In the command shell, change to the directory in which the CA Connector Client is installed.

  3. Using a text editor, open the nlog.config file in the root of the installation directory. Your nlog.config file may have a slightly different layout than shown here, but it will contain the five fields highlighted in the below figure. The fields you may wish to edit are:

    • The path and file name of the active CA Connector Client log file:

      fileName="/opt/keyfactor/ca-connector/logs/CA_Connector_Log.txt"
      Important:  If you choose to change the path for storage of the log files, you will need to create the new directory (e.g. /opt/kyflogs) and grant the service account under which the keyfactor-ca-connector-default service is running full control permissions on this directory.

    • The path and file name of previous days' CA Connector Client log files:

      The CA Connector Client rotates log files daily and names the previous files using this naming convention.

    • The number of archive files to retain before deletion:

      archiveFileName="/opt/keyfactor/ca-connector/logs/CA_Connector_Log_Archive_{#}.txt"
      maxArchiveFiles="2"

    • The level of log detail that should be generated and output to the log file:

      name="*" minlevel="Info" writeTo="logfile"

      The default Info level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to Debug or Trace. Available log levels (in order of increasing verbosity) are:

      • OFF—No logging

      • FATAL—Log severe errors that cause early termination

      • ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

      • WARN—Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily "wrong"

      • INFO—Log all of the above plus runtime events (startup/shutdown)

      • DEBUG—Log all of the above plus detailed information on the flow through the system

      • TRACE—Maximum log information—this option can generate VERY large log files

Figure 684: CA Connector Client on Linux NLog.config File