Log Analyzer

The SSSD 2.6.0 release includes a new log parsing tool for SSSD debug log analysis. This analyzer tool can be called using the sssctl analyze command, the log analysis tool primarily acts as a grep front-end.

Identifying SSSD failures can be a difficult task without knowledge of SSSD internal components. If an administrator or SSSD user doesn’t know what to look for, it may become a very slow and time consuming process. The sssctl analyze tool improves the overall troubleshooting workflow for administrators, users, and anyone needing to review SSSD debug logs. The initial use case is to extract and print SSSD logs pertaining only to certain client requests across responder, backend, and child sssd processes.

  • debug_level should be set to at least 7 in the [$responder] section, and [domain/$domain] section to enable analyze log parsing functionality.

  • Logs to analyze must be from compatible SSSD version built with tevent chain ID support.

The sssctl analyze command uses git-like subcommand invocation.

# sssctl analyze MODULE [ARGS]

The only supported module currently is the request module. The request module is used to print logs associated with client requests made to SSSD.


Additional modules to be added contingent on future SSSD development plans

# sssctl analyze request
Usage: sss_analyze.py request [OPTIONS] COMMAND [ARGS]...

Request module

--help  Show this message and exit.


sssctl analyze request operates in two different primary modes shown in the table below. list mode is intended to use first, to find the client ID which can then be passed to the show command. The client ID can also be found in the log files (search for [CID #] tag).


mode functionality

additional options


Output list of recent client requests made to sssd

-v, --verbose

Enables verbose output


Filter only PAM requests


Print logs pertaining to a provided client ID number


Merge logs together sorted by timestamp (requires debug_microseconds = True)


Include child process logs


Track only PAM requests


Requests which return from the SSSD memory cache will not be logged, and therefore not tracked by the analyzer

Print client command request list, NSS (default), or PAM

# sssctl analyze request list
# sssctl analyze request list --pam


SSSD tracks identity user/group information (id, getent) in the NSS separately from PAM responder user authentication(su, ssh). The CID in the NSS responder is independent of the CID in the PAM responder, you will see overlapping numbers when analyzing NSS and PAM requests. Use –pam option when necessary.

Verbose list output

# sssctl analyze request list -v

Track individual NSS request id number 20

# sssctl analyze request show 20

Track PAM request including child process logs

# sssctl analyze request show 13 --child --pam

Track individual PAM request

# sssctl analyze request show 20 --pam

Supports --logger=journald configurations

# sssctl analyze --source=journald request list

Analyze logs extracted, or sent from another user.

# sssctl analyze --logdir=/path/to/var/log/sssd request list

SSSD development would appreciate any positive, or negative, feedback on the log analyzer tool. One reason the log analyzer tool is written in python is to encourage contributions. Improvement suggestions and Pull Requests are welcome!