Adjusting logging levels in Identity Manager

Document ID : KB000033573
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary: 

There are several locations within Identity Manager where logging levels can be configured, as this product has multiple components. This document will explain how to enable and adjust logging levels for JBoss application server, provisioning server, java connector server, and product installation logs. 

Instructions:

Application Servers: 

For Jboss 6.x / Wildfly 8.2 .x you should use the following location in windows explorer: [Jboss / Wildfly home]\standalone\deployments\iam_im.ear\config\com\netegrity\config

For Jboss 5.x the location is: 

For a standalone server: [Jboss home]\server\default\deploy\iam_im.ear\config\com\netegrity\config

For a cluster implementation: [Jboss home]\server\all\deploy\iam_im.ear\config\com\netegrity\config

For WebLogic the location is: \iam_im.ear\config\com\netegrity\config

In this folder is a file called log4j_<applicationserver>.properties, which must be opened with a text editor such as notepad. Inside the file there are several categories that can be adjusted, typically for CA Support debugging purposes the following lines will be changed.

log4j.category.ims=WARN

log4j.category.im=WARN

Should be changed to 

log4j.category.ims=DEBUG

log4j.category.im=DEBUG

All categories in this document can be adjusted to suit the business needs of the company. They can be set to OFF, WARN, INFO or DEBUG. 

The application server must be reset in order for the changes to take effect.

Alternatively, if logging.jsp has been enabled, log4j can be dynamically configured via a browser pointing to the logging.jsp page on the IM application server:
http://<im_appServer>:port/iam/im/logging.jsp - This method does not require any restart of the application server - in fact, it is valid only for the current session. The default logging levels will be restored upon application server restart

Detailed information about implementing logging.jsp is found under \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin\Readme.txt

Where to find the logs:

For Jboss 6.x / Wildfly 8.2.x the log files are located under: [Jboss / Wildfly home]\standalone\log

For Jboss 5.x the log files are located under: [Jboss home]\server\default\log

For WebLogic -- CA Identity Manager information is written to standard out. By default, standard out is the console window in which the server instance is running.

For WebSphere - CA Identity Manager information is written to the console window where the server instance is running, and to <Was_home>\AppServer\profiles\<Profile_Name>\logs\<server_name>\SystemOut.log

Provisioning Server: 

The provisioning server log level controls several different logs including the etatrans, etanotify, sa and satrans logs. The level is adjusted in the Provisioning Manager GUI. 

The logs are enabled by default, the enable/disable option is located under System > Domain Configuration > Transaction Log > Enable 

pmle.jpg

 

The level of logging can be adjusted in Provisioning Manager under System > Domain Configuration > Transaction Log > Level

2015-12-03 13_47_49-leije03-u149981-12 - leije03-U149981 - Remote Desktop Connection.jpg

Below are the log levels and their descriptions.

0: No trans logging

1: Log external/child errors

2: Log external operations

3: Log child operations

4: Log informative messages

5: Log DSA (Directory Service Agent) errors

6: Log DSA operations

7: Log search operations

 

The change in log level will not take effect until the next time the configuration is re-read (default is every 600 seconds but that can also be configured within the Domain Configuration settings) or until the Provisioning Server service is restarted.

For CA Support debugging purposes logs should be set to level 7. Logs on lower levels are often unhelpful in troubleshooting and determining root cause of an issue. 

The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\logs

*Please note that this is the default installation path

 

Endpoint logs (Active Directory and others): 

Endpoint logs can be valuable when troubleshooting a specific endpoint issue. These logs are not enabled by default and must be enabled through the Provisioning Manager GUI. 

The logs can be enabled by going to Endpoints > xxxx Endpoint > [your specific endpoint] > Logging tab. Check off the enabled box, and all of the boxes next to Text File. 

In the example below we are showing an Active Directory Endpoint logging tab, however these steps are true for any other endpoint type too:

2015-12-03 14_18_43-leije03-u149981-12 - leije03-U149981 - Remote Desktop Connection.jpg

If the CCS is located on the Provisioning Server the log files are located under: \CA\Identity Manager\Provisioning Server\logs\ADS

If the connector server is a standalone installation the log files are located under: \CA\Identity Manager\Connector Server\ccs\logs\ads

 

Java Connector Server: 

To set JCS logs to debug, go to the following path on your JCS machine: C:\Program Files (x86)\CA\Identity Manager\Connector Server\etc

*Please note that this is the default installation path

Make backup copies of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose for when debugging log levels are no longer necessary. Rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.NOT_IN_USE and then rename org.ops4j.pax.logging.cfg.verbose to org.ops4j.pax.logging.cfg. A restart of the JCS is needed after changing the configuration files. 

Once the necessary logs are generated you can change back the names of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose, or revert to the backup copies of the files. It is recommended that the JCS logs do not remain in debugging mode during normal use, as this logging level can impact performance.

Java connectors also have their own jcs_conn_<endpoint_name>.log located on the JCS server if the property sheets for those are set to log. Soee the ADS endpoint logging section for more details on enabling endpoint specific JCS logging.

The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Connector Server\jcs\logs

*Please note that this is the default installation path

 

Installation logs: 

Windows installations: 

If you encounter issues during CA Identity Manager installation, see this log file:

C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\caiamsuite.log

*Please note that this is the default installation path

 

The CA Identity Manager Server installer logs are written to the following default locations:

C:\Program Files\CA\Identity Manager\install_config_info (32-bit system)

C:\Program Files (x86)\CA\Identity Manager\install_config_info (64-bit system)

*Please note that these the default installation paths

The Provisioning installer logs are written to the user's Temp directory and copied to the Install-Directory\_uninst directory

To put these logs into debug, run the installer from command line and while Installshield is loading the installer press and hold the control(Ctrl) button until it completes at 100%.

 

Linux Installations: 

If you encounter any issues while performing a CA Identity Manager installation, see the caiamsuite.log file in this location:

/opt/CA/IdentityManager/

 

The CA Identity Manager Server installer logs are written to the following default location:

/opt/CA/IdentityManager/install_config_info

 

The Provisioning installer logs are written to the user's Temp directory.

To put these logs into debug use ./setuplinux.bin -log @ALL (some installers require -console) 

 

CA Directory logs:

As the user who installed Directory (on Windows) / dsa user (on Linux) run 'dxinfo' and attach the output files. If the logs folder under <dxhome>/logs contain a substantial number of logs, copy old logs to another location before running the above command

 

SiteMinder integration logs:

When Identity Manager is integrated with SiteMinder SSO, the critical errors are happening on the SiteMinder Policy Server.

To enable policy server trace log:
- Log onto the policy server with user who owns the process.
- Open Siteminder Management Console
- Select Logs tab - Tick "Enable Profiling" checkbox
Policy server trace log is now enabled

In order to edit the policy server trace config file to log necessary details:
- while still on the policy server machine under the same user, back up the existing smtracedefault.txt file under <policy server path>/config/.
- copy and paste the below setting to the file, overwriting the existing content:

components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP, IdentityMinder
data: Date, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message, AuthReason, UserDN, ActiveExpr, Query, Property, State, CacheHits, CacheSize, Expression, ResponseTime, AuthStatus, AuthScheme, RequestIPAddr

Make sure there are only two lines, one starting with "component" and one with "data"
- Save the file.
- Reset the policy server trace log by restarting SiteMinder Policy Server service

Web traces / logs:

When Identity Manager and SiteMinder are integrated, we might need to trace the web traffic between these components, including the Web Server in between. We recommend using Fiddler for such tracing:

- Download and install Fiddler on the workstation where you access the Identity Manager Environment (IME) URL:
http://www.telerik.com/fiddler

- Run the Fiddler tool by clicking on the Fiddler icon on the browser. When the tool opens, from its menu, select Tools --> Fiddler Options --> HTTPS --> tick Capture HTTPS CONNECTs and Decrypt HTTS Traffic options --> click OK to save.

- Clear the current urls in the Fiddler and re-produce the issue.

- Save the http trace as .saz extension

For IM/SM integration related problems, we recommend collecting and sharing the following logs / info with CA Support:

- smtracedefault.log
- smps.log
- IM server log
- fiddler trace log (.saz)
- username that experiences the problem
- timeframe when the problem happens.