32.2 Configuring Identity Server Logging

You can enable and configure how the system performs logging. Logging is the main tool you use for debugging the Identity Server configuration. All administrative and end-user actions and events are logged to a central event log. This allows easy access to this information for security and operational purposes. Additionally, the log system provides the ability to monitor ongoing activities (such as identity provider authentication activity, up-time of the system, and so on) using this page. File logging is not enabled by default.

Identity Servers, Access Gateways (Linux and NetWare®), and embedded service providers use these logging features. If you change or enable logging, you must update the Identity Server configuration (using Update Servers on the Servers page) and restart the service providers on the Access Gateways, in order to apply the changes. When you disable logging, you must also restart the Access Gateway embedded service provider. See Section 3.2.7, Rebooting the Access Gateway.

This section describes the following about component logging:

32.2.1 Enabling Component Logging

File logging records the actions that have occurred. For example, Web servers maintain log files listing every request made to the server. With log file analysis tools, it’s possible to get a good idea of where visitors are coming from, how often they return, and how they navigate through a site. The content logged to file logging can be controlled by specifying logger levels and by enabling statistics logging.

  1. In the Administration Console, click Access Manager > Identity Server > Servers > Edit > Logging.

  2. The following options are available for component logging in the File Logging section:

    • Enabled: Enables file logging for this server and its associated embedded service providers.

    • Echo To Console: Copies the Identity Server log file to /var/opt/novell/tomcat4/logs/catalina.out. You can download the file from Access Manager > Auditing > General Logging. If you want to view Identity Server logs mixed with logs from other application devices, you use catalina.out.

      For the embedded service providers, it depends upon the platform:

      • For a Linux Access Gateway, this sends the messages to the catalina.out file of the Access Gateway.

      • For a NetWare Access Gateway, this sends the messages to the NetWare console.

      • For a SSL VPN, this sends the messages to the catalina.out file of the SSL VPN.

    • Log File Path: Specifies the path that the system uses to save the Identity Server XML log file. The default path is tomcat application directory/web-inf/logs.

      If you change this path, you must ensure that the user associated with configuring the identity or service provider has administrative rights to the Tomcat application directory in the new path.

      If you have a mixed platform environment (for example, the Identity Server is installed on Linux and the Access Gateway is on NetWare), do not specify a path. In a mixed platform environment, you must use the default path.

    • Maximum Log Files: Specifies the maximum number of log files to leave on the machine. After this value is reached, the system deletes log files, beginning with the oldest file. You can specify Unlimited, or values of 1 through 200. 10 is the default value.

    • File Wrap: Specifies the frequency (hour, day week, month) for the system to use when closing a log file and creating a new one. The system saves each file based on the time you specify and attaches the date and/or time to the filename.

    • GZip Wrapped Log Files: Uses the GZip compression utility to compress logged files. The log files that are associated with the GZip option and the Maximum Log Files value are stored in the directory you specify in the Log File Path field.

  3. In the Component File Logger Levels, you can specify the logging sensitivity for the following:

    Application: Logs system-wide events, except events that belong to a specific subsystem.

    Liberty: Logs events specific to the Liberty IDFF protocol and profiles.

    SAML 1: Logs events specific to the SAML1 protocol and profiles.

    SAML 2: Logs events specific to the SAML2 protocol and profiles.

    Web Service Provider: (Liberty) Logs events specific to fulfilling Web service requests from other Web service consumers.

    Web Service Consumer: (Liberty) Logs all events specific to requesting Web services from a Web service provider.

    Use the drop-down menu to categorize logging sensitivity. Higher logging levels include the lower levels in the log.

    • Off: Turns off component file logging for the selected item.

    • Severe: Logs serious failures that can cause system processing to not proceed.

    • Warning: Logs potential failures, but the impact on execution is minimal. Warnings indicate that you should be aware that this event is happening and might want to make a configuration change to avoid it.

    • Info: Logs informational events. No execution or data impact occurred.

    • Verbose: Logs static configuration information. The system logs any configuration errors under one of the primary three levels: Severe, Warning, and Info.

    • Debug: Includes all of the preceding levels.

  4. (Optional) Enable statistics logging.

    When statistics logging is enabled, the system periodically sends the system statistics, in string format, to the current file logger. Statistical data (such as counts, levels, and so on) are included in the file log.

    1. In the Statistics Logging section, select Enabled.

    2. In the Log Interval field, specify the time interval in seconds that statistics are logged.

  5. Click OK.

  6. Update the Identity Server configuration (using Update Servers on the Servers page).

  7. Restart the embedded service providers on the Access Gateways, in order to apply the changes.

    When you disable component logging, you need to update the Identity Server configuration and restart the embedded service provides.

32.2.2 Downloading the Log Files

The General Logging page displays the location of the files that the Access Manager components use for logging system messages. There are two exceptions:

  • J2EE Agent: The J2EE Agent uses the J2EE global logger, and the location of this file is customizable. For information about J2EE agent log files, see Viewing Log Files in the Novell Access Manager 3.0 SP4 Agent Guide.

  • Default Auditing File: If you have configured Novell Audit to send events to the default audit file (/var/opt/novell/naudit/logs/auditlog), this file does not appear in the list. If you want this file to appear in this list, make this file readable by the novlwww user.

    It is a breach of Novell Audit security for Access Manager code to change the permissions on this file. You must decide whether changing its permissions and displaying the file in this list compromises your security.

    To have it appear in the list of files for the Administration Console, configure the following:

    • Use commands similar to the following to grant the novlwww user executable permissions to the naudit directories:

      chmod o+x /var/opt/novell/naudit
      chmod o+x /var/opt/novell/naudit/logs
      
    • Use a command similar to the following to grant the novlwww user read access to the auditlog file:

      chmod o+r /var/opt/novell/naudit/logs/auditlog
      

To view or download the log file:

  1. In the Administration Console, click Auditing > General Logging.

  2. Click the link for the log file name, then either open it or save it to disk.

    You can use any text editor to view the file.

Each Access Manager Component generates multiple log files. Table 32-1 lists these files and the types of messages they contain.

Table 32-1 Access Manager Log Files

Component

Filename

Description

Identity Server

 

 

 

/var/opt/novell/tomcat4/logs/catalina.out

Logging to this file only occurs if you have selected the Echo to Console option from the Identity Servers > Servers > Edit > Logging page.

When component logging has been set to info for Applications, it contains entries tracing user authentication and role assignment.

 

/opt/novell/devman/jcc/logs/jcc-0.log.0

Contains the log entries for the server communications module related to interaction of the Identity Server with the Administration Console, such as imports, certificates, and configuration.

Administration Console

 

 

 

/var/opt/novell/tomcat4/logs/catalina.out

Contains Tomcat errors.

 

/opt/novell/devman/share/logs/app_sc.0.log

Contains events related to importing devices, device configuration changes, health status changes, statistics reporting, and communication problems.

 

/opt/novell/devman/share/logs/app_cc.0.log

Contains events related to policy configuration.

 

/opt/novell/devman/share/logs/platform.0.log

Contains XML events for configuration changes.

This log file contains very little useful information for system administrators.

Linux Access Gateway

 

 

/var/log/novell/reverse/<name>

If logging is enabled on one or more reverse proxies (see Section 32.4, Configuring Access Gateway Logging), this directory contains the log files.

A directory is listed for each reverse proxy on which you have enabled logging.

 

/var/log/ics_dyn.log

Contains all log entries generated by the Linux Access Gateway. Use syslog to control file rolling and log file distribution.

 

/opt/novell/devman/jcc/logs/ jcc-0.log.0

Contains the log entries for the server communications module related to interaction of the Access Gateway with the Administration Console, such as imports, certificates, and configuration.

 

/var/opt/novell/tomcat4/logs/catalina.out

Logging to this file only occurs if you have selected the Echo to Console option from the Identity Servers > Servers > Edit > Logging page.

Check this file for entries tracing the evaluation of authorization, identity injection, and form fill policies.

 

/var/log/lagsoapmessages

Logs all the SOAP messages between the Linux Access Gateway and the embedded service provider.

 

/var/log/laghttpheaders

Contains a log of the HTTP headers to and from the Linux Access Gateway.

NetWare Access Gateway

 

 

log:\etc\proxy\data\logs\reverse\ common\

If logging is enabled on one or more reverse proxies (see Section 32.4, Configuring Access Gateway Logging), this directory contains the log files.

A directory is listed for each reverse proxy on which you have enabled logging.

 

SYS:\etc\proxy\data\debug.log

Contains the abend messages.

 

SYS:\jcc\logs\jcc-0.log.0

Contains the log entries for the server communications module.

SSL VPN

 

 

 

/var/opt/novell/tomcat4/logs/catalina.out

Logging to this file only occurs if you have selected the Echo to Console option from the Identity Servers > Servers > Edit > Logging page.

 

/opt/novell/devman/jcc/logs/jcc-0.log.0

Contains the log entries for the server communications module related to interaction of the SSL VPN with the Administration Console, such as imports, certificates, and configuration.

 

/var/log/messages

Contains log entries for the connection manager and SOCKS server.

 

/var/log/novell-openvpn.log

Contains log entries for the Enterprise mode tunneling components.

 

/var/log/stunnel.log

Contains log entries for the Kiosk mode tunneling components.

For more information about the entries in the log files, see

32.2.3 Managing Log File Size

The logrotate daemon manages the log files located in the following directories:

/var/opt/novell/tomcat4/logs
/opt/novell/roma/logs/

The logrotate daemon has been configured to scan the files in these directories once a day. It rolls them over when they have reached their maximum size and deletes the oldest version when the maximum number of copies have been created.

If you want to modify this behavior, see the following files in the /etc/logrotate.d directory:

novell-tomcat4
novell-devman

For information about the parameters in these files, see the documentation for the logrotate daemon.