Tool to View Encrypted Log Files Outside of MarkLogic Server
MarkLogic Server encryption at rest includes the mlecat command line tool, which can be used to view encrypted log files outside of the server.
Note
Windows users use mlecat.bat instead of mlecat.
The mlecat tool can be used successfully in either of these conditions:
If the
mlecattool is given access to the MarkLogic Server data directory and the.pemfiles.If the log files are encrypted with a user-specified logs passphrase and the same logs passphrase is passed to
mlecatwith-poption.
Note
The mlecat tool should be run by a user with sufficient OS privileges to access the PKCS#11 wallet (located by default at /var/opt/MarkLogic). It is suggested that the user be a member of group running MarkLogic Server (by default daemon).
If you want to decrypt log files without having access to your KMS, you must set a logs-encryption-passphrase. To set this passphrase, use the admin:cluster-set-keystore-logs-encryption-passphrase() function. For example:
xquery version "1.0-ml"; import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy"; let $config := admin:get-configuration() let $passphrase := "dazzling zebras" let $config := admin:cluster-set-keystore-logs-encryption-passphrase ($config,$passphrase) return admin:save-configuration($config)
Note
Log file encryption must be enabled for this passphrase to be used.
For every OS you must add MARKLOGIC_INSTALL_DIR and MARKLOGIC_INSTALL_DIR/bin to your PATH. For example,
PATH=$MARKLOGIC_INSTALL_DIR:$MARKLOGIC_INSTALL_DIR/bin:$PATH
For more about setting environment variables on various platforms, see the information about installation and data directories as part of Installing MarkLogic in Installation Guide for All Platforms.
To see the command line options for the mlecat tool, invoke mlecat with no arguments:
mlecat ==> mlecat [option] filepath(s) option: -i iDIR, iDir is the MarkLogic Server Install directory, alternatively the environmental variable MARKLOGIC_INSTALL_DIR can be used to set this value. -d dDIR, dDIR is the MarkLogic Server Data directory, alternatively the environmental variable MARKLOGIC_DATA_DIR can be used to set this value -p PASS, PASS is your logs-encryption-passphrase (if you are using one); [-f] filepath(s), one or more file paths (-f can be specified before each file for explicit file list)
For example:
mlecat -p admin /var/opt/MarkLogic/Logs/ErrorLog.txt
Defaults for the MarkLogic Server data and install directories are shown in this table:
Platform |
Installation Directory |
Default Data Directory (for configuration and log files) |
|---|---|---|
Windows |
|
|
Red Hat Linux |
|
|
Mac OS X |
|
|
For more about setting environment variables on various platforms, see the information about installation and data directories as part of Installing MarkLogic in Installation Guide for All Platforms.