How to enable logging on Identity Servers

  • 7023903
  • 27-May-2019
  • 27-May-2019

Environment

Access Manager 4.4
Access Manager 4.3
Access Manager 4.2

Situation

Troubleshooting Failed Authentication  
Unable to access protected resource for some users

Resolution

Enabling Component Logging
File logging records the actions that have occurred. For example, you can configure Identity Server logging to list every request made to the server. With log file analysis tools, you can get a good idea of where visitors are coming from, how often they return, and how they navigate through a site. The content logged to file logging can be controlled by specifying logger levels and by enabling statistics logging.
1.     Click Devices > IdentityServers > Edit > Auditing and Logging.
2.     File Logging: The following options are available for component logging:
·        Enabled: Enables file logging for this server and its associated Embedded Service Providers.
·        Echo To Console: Copies IdentityServer XML log file to /var/opt/novell/nam/logs/idp/tomcat/catalina.out (Linux),or to /Program Files/Novell/Tomcat/logs/stdout.log (Windows Server2012). You can download the file from Auditing > General Logging.
For the Embedded Service Providers, the log file location depends upon the device:
·        For an Access Gateway Appliance or a Linux Access Gateway Service, this sends the messages to the catalina.out file of the device.
·        For a Windows Access Gateway Service, this sends messages to the stdout.log file of the device.
·        Log File Path: Specifies the path that the system uses to save Identity Server XML log file. The default path is /var/opt/novell/nam/logs/idp/nidplogs.
If you change this path, you must ensure that the user associated with configuring the identity or service provider has administrative rights to the Tomcat application directory in the new path.
If you have a mixed platform environment (for example, Identity Server is installed on Windows and Access Gateway is on Linux), do not specify a path. In a mixed platform environment, you must use the default path.
·        Maximum Log Files: Specifies the maximum number of Identity Server XML log files to leave on the machine. After this value is reached, the system deletes log files, beginning with the oldest file. You can specify Unlimited,or values of 1 through 200. 10 is the default value.
·        File Wrap: Specifies the frequency(hour, day week, month) for the system to use when closing an XML log file and creating a new one. The system saves each file based on the time you specify and attaches the date and/or time to the filename.
·        GZip Wrapped Log Files: Uses the GZip compression utility to compress logged files. The log files that are associated with the GZip option and the Maximum Log Files value are stored in the directory you specify in the Log File Path field.
3.     Component File Logger Levels: By default,Severe is selected. Change the logging sensitivity for the following protocols as needed:
Application: Logs system-wide events, except events that belong to a specific subsystem.
Liberty: Logs events specific to the Liberty IDFF protocol and profiles.
SAML 1: Log sevents specific to the SAML1 protocol and profiles.
SAML 2: Logs events specific to the SAML2 protocol and profiles.
WS Trust: Logs events specific to the WS-Trust protocol.
WS Federation: Logs events specific to the WS Federation protocol.
OAuth and OpenID Connect: Logs events specific to the OAuth and OpenID Connect protocols.
Web Service Provider: (Liberty)Logs events specific to fulfilling web service requests from other web service consumers.
Web Service Consumer: (Liberty)Logs all events specific to requesting web services from a web service provider.
Use the drop-down menu to categorize logging sensitivity. Higher logging levels also include the lower levels in the log.
·        Off: Turns off component file logging for the selected item.
·        Severe: Logs serious failures that can cause system processing to not proceed.
·        Warning: Logs potential failures,but the impact on execution is minimal. Warnings indicate that you should be aware that this event is happening and might want to make a configuration change to avoid it.
·        Info: Logs informational events.No execution or data impact occurred.
·        Verbose: Logs static configuration information. The system logs any configuration errors under one of the primary three levels: Severe, Warning, and Info.
·        Debug: Includes all of the preceding levels.
4.     Statistics Logging: (Optional) Enable this option if you want the system to periodically send the system statistics, in string format, to the current file logger. Statistical data (such as counts, levels, and so on) are included in the file log.
a.      In the Statistics Logging section,select Enabled.
b.     In the Log Interval field,specify the time interval in seconds that statistics are logged.
5.     Audit Logging: For information about configuring Audit Logging, see Section 20.2, Enabling Identity Server Audit Events.
6.     Click OK.
7.     Update Identity Server.

Note: The above changes are dynamic and does not require the services to be restarted