Sunday, August 26, 2007

NFS Logging

Further to my last blog which I encountered issues with nfslog, I am telling you that I managed to resolve it. Thanks to some of the Sun folks that I talked to.

I always thought that doing 'ls -lR' in the NFS mount point will be able to generate a lot of NFS traffic and hence produce output in the nfslog. Instead, the fhtable ndbm database grows but not the nfslog. As described by Sameer Smth's blog, it said"

The subset of these activities is to store information about the files/links/directories. nfslogd does not use flat files to log these activities as the searching of data will become very inefficient. Instead nfslogd uses Solaris native database ndbm to log all these records. This makes searching/deleting/inserting the records very efficient. nfslogd stores two set of records for each file/link/directory. These records are primary & secondary.

To test out the nfslogd, I share out the /usr as read only and make sure the client side mount it with nfs version 3. Below shows the process

server# share -F nfs -o log=global,ro /usr

client# mount -o vers=3,ro server:/usr /mnt
client# cd /mnt/include
client# cat *.h


server# cat /var/nfs/nfslog.d
Fri Aug 24 14:19:45 2007 0 client 2780 /usr/include/apptrace.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1358 /usr/include/apptrace_impl.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1916 /usr/include/ar.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 7495 /usr/include/archives.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 21174 /usr/include/aspell.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1553 /usr/include/assert.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 239 /usr/include/atomic.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 23476 /usr/include/audiofile.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1633 /usr/include/aupvlist.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 2390 /usr/include/auth_attr.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 684 /usr/include/auto_ef.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 7833 /usr/include/bzlib.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 3829 /usr/include/complex.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 6543 /usr/include/config_admin.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1025 /usr/include/cpio.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1633 /usr/include/crypt.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 2240 /usr/include/ctype.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 51186 /usr/include/curses.h b _ read r 60001 nfs3-tcp 0 *
Fri Aug 24 14:19:45 2007 0 client 1873 /usr/include/deflt.h b _ read r 60001 nfs3-tcp 0 *

Now the question is shall I use nfslogd to capture all the NFS traffic, but the problem is it does not support NFSv4 and I will have to ensure all my NFS clients talk v3. BSM way or NFS log way for logging? That depends on whether you are logging for audit or just logging.

Labels: ,

0 Comments:

Post a Comment

<< Home