Skip to main content

Logging

Abstract

Find resources about Access Server's log functionality. Logging helps debug issues and get insight into connections from VPN clients to your VPN server.

Overview

Access Server records logs and provides access to the information from the Admin Web UI and through the command-line interface (CLI). This topic provides you with the following:

  • Where logs are stored.

  • Managing log files.

  • Troubleshooting with log files.

  • Using the logdba tool.

The following sections help you work with Access Server's logs for troubleshooting, debugging, and querying.

Where to find log information

You can find log information in the following places:

  • In the VPN client app, OpenVPN Connect.

  • Saved on the client device.

  • In the Admin Web UI.

  • Saved on the VPN server.

The client log files can help you figure out the following:

  1. Why a client has connection problems.

  2. Which routes and instructions the client receives.

Locate the files in one of the following locations.

In OpenVPN Connect

Export the log data from within OpenVPN Connect v3 directly:

  1. Launch OpenVPN Connect.

  2. Click the log icon in the corner.

    • The Log File window displays.

  3. Click the mail icon.

    1. The window opens to save the log file.

  4. Select a location and click Save.

On the client device

OpenVPN Connect v3 stores the log data locally on the client device:

  • Windows: <User Folder>\AppData\Roaming\OpenVPN Connect\log\openvpn.log

  • macOS: ~/Library/Application Support/OpenVPN Connect/log/ovpn.log

OpenVPN Connect v2 stores the log data locally in these locations:

  • Windows: C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\log\openvpn_(uniquename).log

  • macOS: /Library/Application Support/OpenVPN/log/openvpn_(unique_name).log

Caution

OpenVPN Connect on macOS has permissions set on the log file, so you can't usually open it. To bypass this, right-click the log file and click Get info. Then at the bottom, under Sharing & Permissions, use the yellow padlock icon to unlock the settings and to give everyone read access.

Access Server stores log files that contain technical and sensitive information. Most common sensitive data, like login credentials, is normally redacted, but some sensitive information can be visible in the logs if you enable certain debug flags. Also, should errors occur, partial certificate data may be included.

We recommend you treat the log data as sensitive.

You can expand the technical information contained in the server logs to include extra information using debug flags, as explained in this tutorial:

Tip

You can send the log data to syslog locally. If you want it sent to a remote server, configure a rule in the local syslog daemon to redirect it to a networked syslog server.

In the Admin Web UI

Access Server displays log information in the Admin Web UI. To view it:

  1. Sign in to the Admin Web UI.

  2. Click Status > Log Reports.

With these logs, you can see the following:

  • When a user connects.

  • The connection duration.

  • If users connect to the VPN, to a web service, etc.

  • Their data usage.

  • Simple error messages from authentication or connection issues.

On the server

You can find Access Server's server-side logs here:

  • /var/log/openvpnas.log

  • /var/log/openvpnas-node.log (for a failover setup)

When troubleshooting, you can create a clean log file by following these steps:

  1. Stop the Access Server service:

    service openvpnas stop
  2. Move and rename the log file:

    mv /var/log/openvpnas.log /var/log/openvpnas.log.old
  3. Restart the Access Server service:

    service openvpnas start
  4. Stop the Access Server service:

    service openvpnas stop
  5. Now you can get the log file from /var/log/openvpnas.log for analysis.

  6. Start the Access Server service again:

    service openvpnas start

Set up a log file rotation

You can set up a log file rotation that sets an allowable file size and deletes older files. Follow our tutorial steps:

Log to the syslog

You can log to the local syslog daemon or an external syslog server by following the tutorial steps here:

Turn off audit and service logging

You can turn off logging by following the tutorial steps here:

Implementing debug flags

You can add debug flags to log additional information to help with troubleshooting. Follow this tutorial:

Querying the logs

You can query the logs from the Log Report page in the Admin Web UI or with the logdba tool: