42.1 Enabling Logging

Each Access Manager device has configuration options for logging:

Identity Server: Logging is turned off and must be enabled. When you enable Identity Server logging, you also enable logging for the embedded service providers that are configured to use the Identity Server for authentication. For configuration information, see Section 32.2, Configuring Identity Server Logging.

Embedded Service Providers: Each Access Manager device has an embedded service provider that communicates with the Identity Server. Its log level is controlled by configuring Identity Server logging.

NetWare Access Gateway: Most of the logging available for the NetWare Access Gateway is for its embedded service provider. The log level of this subcomponent is controlled with the Identity Server logging configuration. The logging specific to the NetWare Access Gateway is not configurable, and the NetWare Access Gateway messages are sent to the logger screen.

Linux Access Gateway: A log notice level of logging is enabled by default. You can change the level from the command line interface. For information, see Linux Access Gateway Logs.

42.1.1 Linux Access Gateway Logs

This section contains the following information about the Linux Access Gateway logs:

Configuring Log Levels

You can use the following procedure to set the level of information logged to the ics_dyn.log file in the /var/log directory.

  1. At the command prompt, enter the following command:

    nash

  2. At the nash shell prompt, enter the following command:

    configure .current

  3. To change the log level, enter the following command:

    log-conf log-level <log level>

    Replace <log level> with the new log level that you want to set.

    Level

    Description

    LOG_EMERG

    Sends only messages that render the system unusable, if they are not resolved.

    LOG_ALERT

    Sends only messages that require immediate action.

    LOG_CRIT

    Sends only messages about critical situations.

    LOG_ERR

    Sends warning messages about recoverable errors.

    LOG_WARNING

    Sends warning messages.

    LOG_NOTICE

    Sends the service configuration logs information about the status of a service.

    LOG_INFO

    Sends informational messages such as requests sent to Web servers and the results of authentication requests.

    LOG_DEBUG

    Sends debug messages.

    When you run the /etc/init.d/novell-vmc start command, the default log level is set to LOG_NOTICE. You can change the log level to any level from LOG_EMERG to LOG_INFO.

  4. To apply changes, enter the following command:

    apply

  5. To exit from the configuration mode, enter the following command:

    exit

  6. To exit from the nash shell, enter the following command:

    exit

Interpreting Log Messages

In Linux Access Gateway, the entries in the ics_dyn.log file have the following format:

<time-date-stamp> <hostname> : <AM#event-code> : <AMDEVICE#device-id> : <AMAUTHID#auth-id> : <AMEVENTID#event-id> :<supplementary log entry data and text>

A sample log message is given below:

Aug  3 14:35:41 c1h : AM#504503000: AMDEVICEID#ag-0BDF41AAC4CDCBE5 : AMAUTHID#0: AMEVENTID#74: Process request 1 'www.lag-202.com' '/AGLogout' [192.10.100.111:38091 -> 192.10.106.2:80] 

The fifth and sixth digits in the <AMEVENTID#event-id> refer to the Linux Access Gateway components. The following table list the numbers and the components which they denote.

Table 42-1 Linux Access Gateway Components

Number

Component

01

If the fifth and sixth digit are 01, then, it represents the Multi-Homing component.

02

If the number is 02, then it represents the Service Manager component.

03

If the number is 03, then it represents the Request Processing component.

04

If the number is 04, then it represents the Authentication component.

05

If the number is 05, then it represents the Authorization component.

06

If the number is 06, then it represents the Identity Injection component.

07

If the number is 07, then it represents the Form Fill component.

08

If the number is 08, then it represents the Caching component.

09

If the number is 09, then it represents the Response Processing component.

11

If the number is 10, then it represents the Rewriting component.

12

If the number is 11, then it represents the Soap Channel component.

14

If the number is 12, then it represents the VM component.

15

If the number is 15, then it represents the Connection Manager component.

16

If the number is 16, then it represents the VXE component.

17

If the number is 17, then it represents the DataStream component.

For more information on the log format, see Section 42.2, Understanding Log Format.

Configuring Logging of SOAP Messages and HTTP Headers

  1. At the command prompt, enter the following command:

    nash

  2. To enter the configuration mode, enter the following command:

    configure .current

  3. Enter one of the following commands to configure logging:

    Command

    Purpose

    log-conf debug-soap-messages enable
    

    Logs all the SOAP messages between the Linux Access Gateway and the embedded service provider to the /var/log/lagsoapmessages file.

    log-conf no debug-soap-messages enable
    

    Disables the logging of SOAP messages between the Linux Access Gateway and the Enterprise Server.

    log-conf debug-http-headers enable
    

    Logs all the HTTP headers between the browsers and the Linux Access Gateway and between the Linux Access Gateway and the Web servers to the /var/log/laghttpheaders file.

    log-conf no debug-http-headers enable
    

    Disables the logging of HTTP headers to the /var/log/laghttpheaders file.

  4. To apply changes, enter the following command:

    apply

  5. To exit from the configuration mode, enter the following command:

    exit

  6. To exit from the nash shell, enter the following command:

    exit