14.3 Configuring Component Logging

You can enable and configure how the system performs logging. Logging is the main tool you use for debugging the Identity Server configuration. All administrative and end-user actions and events are logged to a central event log. This allows easy access to this information for security and operational purposes. Additionally, the log system provides the ability to monitor ongoing activities such as identity provider authentication activity, up-time of the system, and so on. File logging is not enabled by default.

Identity Servers and Embedded Service Providers use these logging features. If you change or enable logging, you must update the Identity Server configuration and restart the Embedded Service Providers in order to apply the changes. When you disable logging, you must also restart the Embedded Service Providers.

This section describes the following about component logging:

14.3.1 Enabling Component Logging

File logging records the actions that have occurred. For example, you can configure Identity Server logging to list every request made to the server. With log file analysis tools, you can get a good idea of where visitors are coming from, how often they return, and how they navigate through a site. The content logged to file logging can be controlled by specifying logger levels and by enabling statistics logging.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Logging.

  2. The following options are available for component logging in the File Logging section:

    • Enabled: Enables file logging for this server and its associated Embedded Service Providers.

    • Echo To Console: Copies the Identity Server XML log file to /var/opt/novell/tomcat5/logs/catalina.out (Linux), to /Program Files/Novell/Tomcat/logs/stdout.log (Windows Server 2003), or to /Program Files (x86)/Novell/Tomcat/logs/stdout.log (Windows Server 2008). You can download the file from Auditing > General Logging.

      For the Embedded Service Providers, the log file location depends upon the device:

      • For an Access Gateway Appliance, a Linux Access Gateway Service, or an ESP-enabled SSL VPN server, this sends the messages to the catalina.out file of the device.

      • For a Windows Access Gateway Service, this sends messages to the stdout.log file of the device.

    • Log File Path: Specifies the path that the system uses to save the Identity Server XML log file. The default path is tomcat application directory/web-inf/logs.

      If you change this path, you must ensure that the user associated with configuring the identity or service provider has administrative rights to the Tomcat application directory in the new path.

      If you have a mixed platform environment (for example, the Identity Server is installed on Windows and the Access Gateway is on Linux), do not specify a path. In a mixed platform environment, you must use the default path.

    • Maximum Log Files: Specifies the maximum number of Identity Server XML log files to leave on the machine. After this value is reached, the system deletes log files, beginning with the oldest file. You can specify Unlimited, or values of 1 through 200. 10 is the default value.

    • File Wrap: Specifies the frequency (hour, day week, month) for the system to use when closing an XML log file and creating a new one. The system saves each file based on the time you specify and attaches the date and/or time to the filename.

    • GZip Wrapped Log Files: Uses the GZip compression utility to compress logged files. The log files that are associated with the GZip option and the Maximum Log Files value are stored in the directory you specify in the Log File Path field.

  3. In the Component File Logger Levels section, you can specify the logging sensitivity for the following:

    Application: Logs system-wide events, except events that belong to a specific subsystem.

    Liberty: Logs events specific to the Liberty IDFF protocol and profiles.

    SAML 1: Logs events specific to the SAML1 protocol and profiles.

    SAML 2: Logs events specific to the SAML2 protocol and profiles.

    STS: Logs events specific to the STS protocol.

    CardSpace: Logs events specific to the CardSpace protocol.

    WS Federation: Logs events specific to the WS Federation protocol.

    Web Service Provider: (Liberty) Logs events specific to fulfilling Web service requests from other Web service consumers.

    Web Service Consumer: (Liberty) Logs all events specific to requesting Web services from a Web service provider.

    Use the drop-down menu to categorize logging sensitivity. Higher logging levels also include the lower levels in the log.

    • Off: Turns off component file logging for the selected item.

    • Severe: Logs serious failures that can cause system processing to not proceed.

    • Warning: Logs potential failures, but the impact on execution is minimal. Warnings indicate that you should be aware that this event is happening and might want to make a configuration change to avoid it.

    • Info: Logs informational events. No execution or data impact occurred.

    • Verbose: Logs static configuration information. The system logs any configuration errors under one of the primary three levels: Severe, Warning, and Info.

    • Debug: Includes all of the preceding levels.

  4. (Optional) Enable statistics logging:

    When statistics logging is enabled, the system periodically sends the system statistics, in string format, to the current file logger. Statistical data (such as counts, levels, and so on) are included in the file log.

    1. In the Statistics Logging section, select Enabled.

    2. In the Log Interval field, specify the time interval in seconds that statistics are logged.

  5. For information on configuring Novell Audit Logging, see Section 14.7, Enabling Identity Server Audit Events.

  6. Click OK.

  7. Update the Identity Server.

  8. Restart the Embedded Service Providers on the devices, in order to apply the changes.

    When you disable component logging, you need to update the Identity Servers and restart the Embedded Service Providers.

14.3.2 Managing Log File Size

On Windows, you need to manually monitor the size of the log files. On Linux, the logrotate daemon manages the log files located in the following directories:

/var/opt/novell/tomcat5/logs
/opt/volera/roma/logs/

The logrotate daemon has been configured to scan the files in these directories once a day. It rolls them over when they have reached their maximum size and deletes the oldest version when the maximum number of copies have been created.

If you want to modify this behavior, see the following files in the /etc/logrotate.d directory:

novell-tomcat5
novell-devman

For information about the parameters in these files, see the documentation for the logrotate daemon.