Scroll to navigation

pki-server-logging(5) PKI Server Logging Configuration pki-server-logging(5)


pki-server-logging - PKI Server Logging Configuration


/etc/pki/instance/, /etc/pki/instance/subsystem/CS.cfg


PKI server logging can be configured using the following logging frameworks:

  • java.util.logging ⟨⟩
  • Internal Logging


Tomcat uses java.util.logging (JUL) as the default logging framework. The configuration is described in Tomcat 8.5 Logging ⟨⟩.

The default configuration is located at /usr/share/pki/server/conf/ During server deployment a link will be created at /etc/pki/instance/

By default only log messages with level WARNING or higher will be logged on the console (i.e. systemd journal).

java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n

The systemd journal can be viewed with the following command:

$ journalctl -u pki-tomcatd@<instance>.service

For more information see the following documents:

  • java.util.logging.ConsoleHandler ⟨⟩
  • java.util.logging.Level ⟨⟩
  • java.util.logging.SimpleFormatter ⟨⟩
  • java.util.Formatter ⟨⟩

Internal Logging

Each PKI subsystem uses an internal logging framework for debugging purposes.

The logging configuration is stored in /etc/pki/instance/subsystem/CS.cfg.


The debug.level determines the amount of details to be logged. The value ranges from 0 (most details) to 10 (least details). The default value is 10.



To customize JUL configuration, replace the link with a copy of the default configuration:

$ rm -f /etc/pki/<instance>/
$ cp /usr/share/pki/server/conf/ /etc/pki/<instance>
$ chown pkiuser.pkiuser /etc/pki/<instance>/

Then edit the file as needed. For example, to troubleshoot issues with PKI library add the following lines:

netscape.level = ALL
com.netscape.level = ALL
org.dogtagpki.level = ALL

To troubleshoot issues with RESTEasy add the following line:

org.jboss.resteasy.level = ALL

Then restart the server.

Internal Logging

To customize the internal logging configuration, edit the CS.cfg as needed, then restart the server.


Dogtag PKI Team <>.




Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at ⟨⟩.

November 3, 2016 PKI