The changelogDb backend is not part of backup by default, I can’t use dsbackup command to backup changelogDB, so is there any method I can backup it except copy entire changelogDb folder (known as snapshot)?
Greetings Aaron,
Thank you for the inquiry. This does raise an interesting point: Of what value would a historic changelogdb , be?
a. It would not contain the latest and missed changes from the time of the backup to the time of the restore.
b. If it were introduced during the restore process, there may be entry conflicts.
c. And we are all hopeful that the latency in persisting a change from the changelogdb to the appropriate backend is accomplished in seconds, or part thereof. Not hours.
d. And of course, the purge delay setting may further render this instance of the changelogdb, irrelevant.
Nonetheless, to answer your question, you do have a few options:
- As you identify, a snapshot. But consider the issues above.
- Use changelogstat and export the changelog: changelogstat :: ForgeRock Directory Services
- And if it interests you, the changelog can be configured to include all sufficient information for the External ChangeLog.
Directory Server replication and its intricacies are well defined here: Knowledge - ForgeRock BackStage
Cheers.
Guy.
2 Likes
Hi Guy,
Thank you very much for your detailed response. It’s really help me a lot!
To provide some context on my specific situation and intentions:
- The primary purpose for wanting to keep a comprehensive log, including the changelogDb, is for audit reasons on a standalone replication server. I acknowledge the potential limited value of these “logs of logs” and am not planning to use them for data restoration. My objective is purely to maintain a detailed audit trail.
- The standard ForgeRock’s documentation on audit logs (Directory Services 7 > Logging Guide > Manage Logs), does not capture the specifics of changelogDb interactions. This gap in the audit capabilities is a primary driver for my inquiry.
- I have explored using
changelogstatwith commands likedump-change-number-dbordump-replica-db-file, but these only yield basic information, such asModifyMsg content, which includes protocol version, DN, CSN, and uniqueId, but not the full content I require for comprehensive audits. - Given these considerations, it seems my best course of action remains to rely on regularly taking snapshots of the changelogDb folder. This method, while not ideal, appears to be the most effective way to achieve the level of detail needed for auditing purposes.
Best,
Aaron
Thank you for the response and insights.
(Clearly I’m a person of many opinions, thus responding.)
-
Your point: detailed audit trail.
Specifically, what are you auditing? The summation of the “global” access logs would provide all ldap operation requests and responses.
The server Audit log (by default disabled) is a recording of all DS data changes.
Therefore, I present the opinion that using the ECL is the wrong tool for the requirement and objective. -
Your point 2: The Audit Gap
I refer to my comment above; perhaps an Audit Log as opposed to the access log would be of value. -
I concur that an in-depth audit requirement may be required in some business circles. However, the topic of “audit” to me implies who, what, where, when. This comprehensive data is also not maintained within the changelogdb and therefore irrelevant for the task. Access and Audit logs provide this data.
-
As you wish, but in your “periodicy” (not a word I know) do note that you still run the very high risk of missing pertinent data as the changelogdb is a live file. Therefore, please do consider the value of the Audit Log. And merging the useful information with information provided by Access logs to fulfill a comprehensive audit philosophy and methodology.
And in summary, I very much appreciate the opportunity to have such insightful and debatable conversations. It’s a pleasant change from the simple “how do I” conversations.
Thank you for the privilege.
Guy
2 Likes
Thank you very much for your reply, I will fully consider your suggestions, it was a pleasant discussion.
1 Like