Your suggested change has been received. Thank you.


Suggest A Change….


DDC Administration



Please Note:


Data Discovery and Classification prints out its log messages to the CipherTrust Manager logs. DDC logs are located in the /opt/keysecure/logs directory. The CipherTrust Manager System Administrator ksadmin can log in using ssh to retrieve CipherTrust Manager logs. Also the DDC Application Administrators have access to the logs.

For more details on collecting DDC logs, see Troubleshooting Issues in Conjunction with Customer Support in the CipherTrust Manager Administrator page.

Default Logging Level

By default, log level setting for DDC is INFO. With this log level set DDC prints out the INFO and ERROR level messages to the log. Among the various messages that DDC prints to the logs, the error messages and security audit messages are the most useful for troubleshooting DDC issues and securing the deployment.

Identifying DDC Log Messages

The microservices behind DDC are oleander and sundew and the messages coming to the CipherTrust Manager log from DDC can be identified by those names.

Additionally, oleander has these three modules:

  • Clustering
  • Agent_Selection
  • Scan_watcher

Each of these modules will generate its own error messages, each in its separate log.[ ] log file.

The logging service responsible for collecting and processing these messages is FLUENTD. It is capable of displaying those messages to the terminal through the log command. Here's an example of such a command:

log | grep oleander | grep "clustering"

This command would display all messages coming from the oleander's Clustering module.

For a complete list of error messages that DDC sends to the CM log, see the appendix Error Log Messages.

Security Audit Log Messages

The DDC security audit messages can be identified by the Oleander | INFO [security] bit that they contain. The full format of such a log message (or log line) is:

<date> | Oleander | INFO [security] <event> <error (if any)> <details (if any)>

For example:

2020-06-29 | Oleander | INFO | [security] DDCScanClientUnexpectedErrorProbe error: error probing scan client details: [scan_id:5432-5432-543254-2-5432]

Usually, only the event type is printed out to the log (in the example above, it would be DCScanClientUnexpectedErrorProbe).

Enabling Syslog Logging

Audit records are logged to a local database by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CM to disable logging to a local database and enable logging using a remote Syslog server. This significantly reduces cluster traffic and disk usage. For more information, refer to the following sections in the Thales CipherTrust Manager Administrator Guide: