Red Hat SummitChapter 102. Collecting IdM Healthcheck information
Healthcheck has been designed as a manual command line tool which should help you to identify possible problems in Identity Management (IdM).
You can create a collection of logs based on the Healthcheck output with 30-day rotation.
Prerequisites
- The Healthcheck tool is only available on RHEL 8.1 or newer
102.1. Healthcheck in IdM
The Healthcheck command line tool in Identity Management (IdM) helps find issues that can impact the performance of your IdM environment. Using Healthcheck, you can identify an issue in advance so that you can correct it before it becomes critical.
You can use Healthcheck without obtaining a Kerberos ticket.
Modules are independent
Healthcheck consists of independent modules which check for:
- Replication issues
- Certificate validity
- Certificate authority infrastructure issues
- IdM and Active Directory trust issues
- Correct file permissions and ownership settings
Output formats and destination
You can set the following types of output for Healthcheck to generate by using the output-type option:
-
json: Machine-readable output in JSON format (default) -
human: Human-readable output
You can specify a file to store the output by using the --output-file option.
Results
Each Healthcheck module returns one of the following results:
- SUCCESS
- The system is configured as expected.
- WARNING
- It is advisable to monitor or evaluate the configuration.
- ERROR
- The system is not configured as expected.
- CRITICAL
- The configuration is not as expected, with a significant potential to impact the functioning of your IdM deployment.
102.2. Log rotation
Log rotation creates a new log file every day and the files are organized by date. The date is included in the filename.
Using log rotation, you can configure the maximum number of log files to be stored. If this number is exceeded, the newest file replaces the oldest one. For example, if the maximum rotation number is thirty, the thirty-first log file replaces the first, that is the oldest one.
Log rotation reduces voluminous log files and organizes them. This helps you analyze the logs.
102.3. Configuring log rotation using the IdM Healthcheck tool
Follow this procedure to configure log rotation with the following utilities:
-
The
systemdtimer -
The
crondservice
The systemd timer runs the Healthcheck tool periodically and generates the logs. By default, this is set to occur at 4 a.m. every day.
The crond service is used for log rotation.
The default log name is healthcheck.log and the rotated logs use the healthcheck.log-YYYYMMDD format.
Prerequisites
-
You have
rootprivileges.
Procedure
Enable a
systemdtimer:systemctl enable ipa-healthcheck.timer
# systemctl enable ipa-healthcheck.timer Created symlink /etc/systemd/system/multi-user.target.wants/ipa-healthcheck.timer -> /usr/lib/systemd/system/ipa-healthcheck.timer.Copy to Clipboard Copied! Start the
systemdtimer:systemctl start ipa-healthcheck.timer
# systemctl start ipa-healthcheck.timerCopy to Clipboard Copied! Open the
/etc/logrotate.d/ipahealthcheckfile to configure the number of logs you want to be saved:[...] rotate 30 }[...] rotate 30 }Copy to Clipboard Copied! By default, logs are stored for 30 days before they are overwritten by newer logs.
In the same file, configure the path to the file storing the logs.
/var/log/ipa/healthcheck/healthcheck.log { [...]/var/log/ipa/healthcheck/healthcheck.log { [...]Copy to Clipboard Copied! By default, logs are saved in the
/var/log/ipa/healthcheck/directory.- In the same file, configure at what time you want logs to be generated. By default, a log is created daily at 4 a.m.
- Save the file.
Ensure that the
crondservice is enabled and running:systemctl enable crond systemctl start crond
# systemctl enable crond # systemctl start crondCopy to Clipboard Copied! To start generating logs, start the IdM healthcheck service:
systemctl start ipa-healthcheck
# systemctl start ipa-healthcheckCopy to Clipboard Copied!
Verification
-
Navigate to the
/var/log/ipa/healthcheck/directory. - Display the contents of the log file to check if it was created correctly.
102.4. Changing IdM Healthcheck configuration
You can change Healthcheck settings by adding the desired command line options to the /etc/ipahealthcheck/ipahealthcheck.conf file. This can be useful when, for example, you configured a log rotation and want to ensure the logs are in a format suitable for automatic analysis, but do not want to set up a new timer.
This Healthcheck feature is only available on RHEL 8.7 and newer.
After the modification, all logs that Healthcheck creates follow the new settings. These settings also apply to any manual execution of Healthcheck.
When running Healthcheck manually, settings in the configuration file take precedence over options specified in the command line. For example, if output_type is set to human in the configuration file, specifying json on the command line has no effect. Any command line options you use that are not specified in the configuration file are applied normally.
102.5. Configuring Healthcheck to change the output logs format
Follow this procedure to configure Healthcheck with a timer already configured. In this example, you re-configure Healthcheck to start producing logs in a human-readable format and to also include successful results instead of only errors.
Prerequisites
- Your system is running RHEL 8.7 or later.
-
You have
rootprivileges. - You have previously configured log rotation on a timer.
Procedure
-
Open the
/etc/ipahealthcheck/ipahealthcheck.conffile in a text editor. -
Add options
output_type=humanandall=Trueto the[default]section. - Save and close the file.
Verification
Run Healthcheck manually:
ipa-healthcheck
# ipa-healthcheckCopy to Clipboard Copied! -
Go to
/var/log/ipa/healthcheck/and check that the logs are in the correct format.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}