NFSLOGD(8) Maintenance Procedures NFSLOGD(8)


nfslogd - nfs logging daemon




The nfslogd daemon provides operational logging to the Solaris NFS
server. It is the nfslogd daemon's job to generate the activity log by
analyzing the RPC operations processed by the NFS server. The log will
only be generated for file systems exported with logging enabled. This
is specified at file system export time by means of the share_nfs(8)

NFS server logging is not supported on Solaris machines that are using
NFS Version 4.

Each record in the log file includes a time stamp, the IP address (or
hostname if it can be resolved) of the client system, the file or
directory name the operation was performed on, and the type of operation.
In the basic format, the operation can either be an input (i) or output
(o) operation. The basic format of the NFS server log is compatible with
the log format generated by the Washington University FTPd daemon. The
log format can be extended to include directory modification operations,
such as mkdir, rmdir, and remove. The extended format is not compatible
with the Washington University FTPd daemon format. See nfslog.conf(5) for

The NFS server logging mechanism is divided in two phases. The first
phase is performed by the NFS kernel module, which records raw RPC
requests and their results in work buffers backed by permanent storage.
The location of the work buffers is specified in the /etc/nfs/nfslog.conf
file. Refer to nfslog.conf(5) for more information. The second phase
involves the nfslogd user-level daemon, which periodically reads the work
buffers, interprets the raw RPC information, groups related RPC
operations into single transaction records, and generates the output log.
The nfslogd daemon then sleeps waiting for more information to be logged
to the work buffers. The amount of time that the daemon sleeps can be
configured by modifying the IDLE_TIME parameter in /etc/default/nfslogd.
The work buffers are intended for internal consumption of the nfslogd

NFS operations use file handles as arguments instead of path names. For
this reason the nfslogd daemon needs to maintain a database of file
handle to path mappings in order to log the path name associated with an
operation instead of the corresponding file handle. A file handle entry
is added to the database when a client performs a lookup or other NFS
operation that returns a file handle to the client.

Once an NFS client obtains a file handle from a server, it can hold on to
it for an indefinite time, and later use it as an argument for an NFS
operation on the file or directory. The NFS client can use the file
handle even after the server reboots. Because the database needs to
survive server reboots, it is backed by permanent storage. The location
of the database is specified by the fhtable parameter in the
/etc/nfs/nfslog.conf file. This database is intended for the internal use
of the nfslogd daemon.

In order to keep the size of the file handle mapping database manageable,
nfslogd prunes the database periodically. It removes file handle entries
that have not been accessed in more than a specified amount of time. The
PRUNE_TIMEOUT configurable parameter in /etc/default/nfslogd specifies
the interval length between successive runs of the pruning process. A
file handle record will be removed if it has not been used since the last
time the pruning process was executed. Pruning of the database can
effectively be disabled by setting the PRUNE_TIMEOUT as high as INT_MAX.

When pruning is enabled, there is always a risk that a client may have
held on to a file handle longer than the PRUNE_TIMEOUT and perform an NFS
operation on the file handle after the matching record in the mapping
database had been removed. In such case, the pathname for the file handle
will not be resolved, and the log will include the file handle instead of
the pathname.

There are various configurable parameters that affect the behavior of the
nfslogd daemon. These parameters are found in /etc/default/nfslogd and
are described below:

Sets the file mode for the log files, work
buffer files and file handle mapping database.

Specifies the minimum size, in bytes, that the
buffer file must reach before processing the
work information and writing to the log file.
The value of MIN_PROCESSING_SIZE must be
between 1 and ulimit.

Specifies the amount of time, in seconds, the
daemon should sleep while waiting for more
information to be placed in the buffer file.
IDLE_TIME also determines how often the
configuration file will be reread. The value
of IDLE_TIME must be between 1 and INT_MAX.

The nfslogd periodically cycles its logs.
MAX_LOGS_PRESERVE specifies the maximum number
of log files to save. When MAX_LOGS_PRESERVE
is reached, the oldest files will be
overwritten as new log files are created.
These files will be saved with a numbered
extension, beginning with filename.0. The
oldest file will have the highest numbered
extension up to the value configured for
MAX_LOGS_PRESERVE must be between 1 and

Specifies how often, in hours, the log files
are cycled. CYCLE_FREQUENCY is used to insure
that the log files do not get too large. The
value of CYCLE_FREQUENCY must be between 1
and INT_MAX.

Specifies the time interval, in seconds,
between updates of the records in the file
handle to path mapping tables. Instead of
updating the atime of a record each time that
record is accessed, it is only updated if it
has aged based on this parameter. The record
access time is used by the pruning routine to
determine whether the record should be removed
from the database. The value of this parameter
must be between 1 and INT_MAX.

Specifies when a database record times out, in
hours. If the time that elapsed since the
record was last accessed is greater than
PRUNE_TIMEOUT then the record can be pruned
from the database. The default value for
PRUNE_TIMEOUT is 168 hours (7 days). The
value of PRUNE_TIMEOUT must be between 1 and


The following exit values are returned:

Daemon started successfully.

Daemon failed to start.






nfslog.conf(5), attributes(7), share_nfs(8)


The nfslogd service is managed by the service management facility,
smf(7), under the service identifier:


Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using svcadm(8). The service's
status can be queried using the svcs(1) command.

November 24, 2014 NFSLOGD(8)