Policy logging is expensive; it uses processing time and disk space. In a production environment, you should enable it only under the following types of conditions:
You have created a new policy and need to verify its functionality.
You are troubleshooting a policy that is not behaving as expected.
To gather troubleshooting information, you should enable the and options in the Identity Server configuration and set the for to at least . Then you must update the Identity Server configuration and restart any Access Gateway ESPs, so that the ESPs read the logging options. See Section 32.2, Configuring Identity Server Logging. When you have solved the problem, you should disable these options.
The log file on the component that executed the policy is where you should look for logging information. For example, if you have an Access Gateway: Authorization error, look at the log on the Access Gateway that executed the policy.
For additional policy troubleshooting procedures, see Section 39.0, Troubleshooting Access Manager Policies.