Logging
Find resources about Access Server's log functionality. Logging helps debug issues and get insight into connections from VPN clients to your VPN server.
Overview
Access Server records logs and provides access to the information from the Admin Web UI and through the command-line interface (CLI). This topic provides you with the following:
Where logs are stored.
Managing log files.
Troubleshooting with log files.
Using the logdba tool.
The following sections help you work with Access Server's logs for troubleshooting, debugging, and querying.
Where to find log information
You can find log information in the following places:
In the VPN client app, OpenVPN Connect.
Saved on the client device.
In the Admin Web UI.
Saved on the VPN server.
The client log files can help you figure out the following:
Why a client has connection problems.
Which routes and instructions the client receives.
Locate the files in one of the following locations.
In OpenVPN Connect
Export the log data from within OpenVPN Connect v3 directly:
Launch OpenVPN Connect.
Click the log icon in the corner.
The Log File window displays.
Click the mail icon.
The window opens to save the log file.
Select a location and click Save.
On the client device
OpenVPN Connect v3 stores the log data locally on the client device:
Windows: <User Folder>\AppData\Roaming\OpenVPN Connect\log\openvpn.log
macOS: ~/Library/Application Support/OpenVPN Connect/log/ovpn.log
OpenVPN Connect v2 stores the log data locally in these locations:
Windows: C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\log\openvpn_(uniquename).log
macOS: /Library/Application Support/OpenVPN/log/openvpn_(unique_name).log
Caution
OpenVPN Connect on macOS has permissions set on the log file, so you can't usually open it. To bypass this, right-click the log file and click Get info. Then at the bottom, under Sharing & Permissions, use the yellow padlock icon to unlock the settings and to give everyone read access.
Access Server stores log files that contain technical and sensitive information. Most common sensitive data, like login credentials, is normally redacted, but some sensitive information can be visible in the logs if you enable certain debug flags. Also, should errors occur, partial certificate data may be included.
We recommend you treat the log data as sensitive.
You can expand the technical information contained in the server logs to include extra information using debug flags, as explained in this tutorial:
Tip
You can send the log data to syslog locally. If you want it sent to a remote server, configure a rule in the local syslog daemon to redirect it to a networked syslog server.
In the Admin Web UI
Access Server displays log information in the Admin Web UI. To view it:
Sign in to the Admin Web UI.
Click Status > Log Reports.
With these logs, you can see the following:
When a user connects.
The connection duration.
If users connect to the VPN, to a web service, etc.
Their data usage.
Simple error messages from authentication or connection issues.
On the server
You can find Access Server's server-side logs here:
/var/log/openvpnas.log
/var/log/openvpnas-node.log (for a failover setup)
When troubleshooting, you can create a clean log file by following these steps:
Stop the Access Server service:
service openvpnas stop
Move and rename the log file:
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
Restart the Access Server service:
service openvpnas start
Stop the Access Server service:
service openvpnas stop
Now you can get the log file from /var/log/openvpnas.log for analysis.
Start the Access Server service again:
service openvpnas start
Set up a log file rotation
You can set up a log file rotation that sets an allowable file size and deletes older files. Follow our tutorial steps:
Log to the syslog
You can log to the local syslog daemon or an external syslog server by following the tutorial steps here:
Turn off audit and service logging
You can turn off logging by following the tutorial steps here:
Implementing debug flags
You can add debug flags to log additional information to help with troubleshooting. Follow this tutorial:
Querying the logs
You can query the logs from the Log Report page in the Admin Web UI or with the logdba tool: