Adjusting logging levels in Identity Manager
search cancel

Adjusting logging levels in Identity Manager

book

Article ID: 33573

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

There are several locations within Identity Manager where logging levels can be configured, as this product has multiple components. This document will explain how to enable and adjust logging levels for JBoss application server, provisioning server, java connector server, and product installation logs. 

Environment

Identity Manager 14.x

Resolution

Table of Contents

Application Servers

For version 14.4 please see the documentation for details on adjusting the log levels as this process has slightly changed. 
Identity Manager 14.4 Server Logging

For versions prior to 14.4:

For Jboss 6.x / Wildfly 8.2 .x you should use the following location in windows explorer: [Jboss / Wildfly home]\standalone\deployments\iam_im.ear\config\com\netegrity\config

For WebLogic, the location is: \iam_im.ear\config\com\netegrity\config

In this folder is a file called log4j_<applicationserver>.properties, which must be opened with a text editor such as Notepad. Inside the file, there are several categories that can be adjusted, typically for CA Support debugging purposes the following lines will be changed.

log4j.category.ims=WARN

log4j.category.im=WARN

Should be changed to 

log4j.category.ims=DEBUG

log4j.category.im=DEBUG

All categories in this document can be adjusted to suit the business needs of the company. They can be set to OFF, WARN, INFO, or DEBUG. 

The application server must be reset in order for the changes to take effect.

Alternatively, if logging.jsp has been enabled (see Customize Log Levels using Logging Admin Tool), log4j can be dynamically configured via a browser pointing to the logging.jsp page on the IM application server:

  • http://<im_appServer>:port/iam/im/logging.jsp - This method does not require any restart of the application server - in fact, it is valid only for the current session. The default logging levels will be restored upon application server restart

Detailed information about implementing logging.jsp is found under \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin\Readme.txt.

Where to find the logs

  • For Jboss 6.x / Wildfly 8.2.x the log files are located under: [Jboss / Wildfly home]\standalone\log
  • For WebLogic --CA Identity Manager information is written to standard out. By default, standard out is the console window in which the server instance is running.
  • For WebSphere - CA Identity Manager information is written to the console window where the server instance is running, and to <Was_home>\AppServer\profiles\<Profile_Name>\logs\<server_name>\SystemOut.log

Provisioning Server

The provisioning server log level controls several different logs including the etatrans, etanotify, sa and satrans logs. The level is adjusted in the Provisioning Manager GUI. The logs are enabled by default, the enable/disable option is located under System > Domain Configuration > Transaction Log > Enable 

The level of logging can be adjusted in Provisioning Manager under System > Domain Configuration > Transaction Log > Level.


Below are the log levels and their descriptions.

  • 0: No trans logging
  • 1: Log external/child errors
  • 2: Log external operations
  • 3: Log child operations
  • 4: Log informative messages
  • 5: Log DSA (Directory Service Agent) errors
  • 6: Log DSA operations
  • 7: Log search operations

The change in log level will not take effect until the next time the configuration is re-read (default is every 600 seconds but that can also be configured within the Domain Configuration settings) or until the Provisioning Server service is restarted.

For Broadcom Support debugging purposes logs should be set to level 7. Logs on lower levels are often unhelpful in troubleshooting and determining the root cause of an issue. 

The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\logs

*Note that this is the default installation path.
 

Endpoint logs (Active Directory and others)

Endpoint logs can be valuable when troubleshooting a specific endpoint issue. These logs are not enabled by default and must be enabled through the Provisioning Manager GUI.

To enable the logs:

  1. Go to Endpoints > xxxx Endpoint > [your specific endpoint] > Logging tab.
  2. Check the enabled box and all of the boxes next to Text File.  This will enable endpoint logging into the file saDDMMYY.log.

In the example below we are showing an Active Directory Endpoint logging tab, however, these steps are true for any other endpoint type too:

If the CCS is located on the Provisioning Server, the log files are located under: \CA\Identity Manager\Provisioning Server\logs\saDDMMYY.log.

Active Directory Endpoints have additional endpoint-specific log files which are located under: \CA\Identity Manager\Provisioning Server\logs\ADS.

If the connector server is a standalone installation the log files are located under: \CA\Identity Manager\Connector Server\ccs\logs\ads.

Java Connector Server

To set JCS logs to debug:

  1. Go to the following path on your JCS machine: C:\Program Files (x86)\CA\Identity Manager\Connector Server\etc.
    *Note that this is the default installation path.
  2. Make backup copies of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose for when debugging log levels are no longer necessary.
    1. Rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.NOT_IN_USE
    2. Then rename org.ops4j.pax.logging.cfg.verbose to org.ops4j.pax.logging.cfg.
    3. A restart of the JCS is needed after changing the configuration files.
  3. Once the necessary logs are generated you can change back the names of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose, or revert to the backup copies of the files. It is recommended that the JCS logs do not remain in debugging mode during normal use, as this logging level can impact performance.

Java connectors also have their own jcs_conn_<endpoint_name>.log located on the JCS server if the property sheets for those are set to log. See the Endpoint logs (Active Directory and others) section for more details on enabling endpoint-specific JCS logging.

The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Connector Server\jcs\logs

*Note that this is the default installation path

Installation logs

Check Debug an Identity Manager Installation for more details on how to debug different installers.

Windows installations

If you encounter issues during the CA Identity Manager installation, see this log file:

C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\caiamsuite.log

*Note that this is the default installation path

The CA Identity Manager Server installer logs are written to the following default locations:

  • C:\Program Files\CA\Identity Manager\install_config_info (32-bit system)
  • C:\Program Files (x86)\CA\Identity Manager\install_config_info (64-bit system)

*Note that these are the default installation paths

The Provisioning installer logs are written to the user's Temp directory and copied to the Install-Directory\_uninst directory

To put these logs into debug:

  1. Run the installer from the command line
  2. While Installshield is loading the installer press and hold the control(Ctrl) button until it completes at 100%.

Linux Installations 

If you encounter any issues while performing a CA Identity Manager installation, see the caiamsuite.log file in this location:

/opt/CA/IdentityManager/

The CA Identity Manager Server installer logs are written to the following default location:

/opt/CA/IdentityManager/install_config_info

The Provisioning installer logs are written to the user's Temp directory.

To put these logs into debug use ./setuplinux.bin -log @ALL (some installers require -console) 

CA Directory logs: As the user who installed Directory (on Windows) / dsa user (on Linux) run 'dxinfo' and attach the output files. If the logs folder under <dxhome>/logs contains a substantial number of logs, copy old logs to another location before running the above command.

SiteMinder integration logs

When Identity Manager is integrated with SiteMinder SSO, critical errors are happening on the SiteMinder Policy Server.

To enable policy server trace log:

  1. Log onto the policy server with user who owns the process.
  2. Open Siteminder Management Console
  3. Select Logs tab - Tick "Enable Profiling" checkbox
    Policy server trace log is now enabled
  4. In order to edit the policy server trace config file to log the necessary details:
    1. while still on the policy server machine under the same user, back up the existing smtracedefault.txt file under <policy server path>/config/.
    2. Copy and paste the below setting to the file, overwriting the existing content:

      components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP, IdentityMinder
      data: Date, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message, AuthReason, UserDN, ActiveExpr, Query, Property, State, CacheHits, CacheSize, Expression, ResponseTime, AuthStatus, AuthScheme, RequestIPAddr
    3. Make sure there are only two lines, one starting with "component" and one with "data"
    4. Save the file.
    5. Reset the policy server trace log by restarting SiteMinder Policy Server service.

Web traces/logs

When Identity Manager and SiteMinder are integrated, we might need to trace the web traffic between these components, including the Web Server in between. We recommend using Fiddler for such tracing:

  1. Download and install Fiddler on the workstation where you access the Identity Manager Environment (IME) URL:
    http://www.telerik.com/fiddler
  2. Run the Fiddler tool by clicking on the Fiddler icon on the browser.
  3. When the tool opens, from its menu, select Tools --> Fiddler Options --> HTTPS
  4. Tick Capture HTTPS CONNECTs and Decrypt HTTS Traffic options.
  5. Click OK to save.
  6. Clear the current URLs in the Fiddler and re-produce the issue.
  7. Save the http trace as .saz extension

For IM/SM integration-related problems, we recommend collecting and sharing the following logs/info with Broadcom Support:

  1. smtracedefault.log
  2. smps.log
  3. IM server log
  4. fiddler trace log (.saz)
  5. username that experiences the problem
  6. timeframe when the problem happens

 

Other Identity Suite Products

For information on Identity Portal Logging, please see KB 220684 How to enable debug logging in Identity Portal

For information on Identity Governance logging, please see KB 10944 How to enable Debug in Identity Governance

Additional Information

If you are not using Provisioning Manager you can still set Provisioning log levels:

  1. Use a LDAP browser such as JXplorer to connect to Provisioning Store on port 20389
  2. Under eTConfigParamName=Level:
    1. eTConfigParamFolderName=Transaction Log
    2. eTConfigParamContainerName=Parameters
    3. eTConfigContainerName=Configuration
    4. eTNamespaceName=CommonObjects
    5. dc=im
    6. dc=eta
    7. change ConfigParamValue to 7

And for Endpoints, for example for Active Directory:

For each endpoint under eTNamespaceName=ActiveDirectory,dc=im,dc=eta
eTLog should be set to 1, and each Severity level is represented by a letter:
  • F(atal)
  • I(nformation)
  • E(rror)
  • S(uccess)
  • W(arning)

Endpoint logs should also be configurable through the endpoint in IDM itself. 
 






Powered by Wolken Software