There are several locations within Identity Manager where logging levels can be configured, as this product has multiple components. This document will explain how to enable and adjust logging levels for JBoss application server, provisioning server, java connector server, and product installation logs.
Identity Manager 14.x
For version 14.4 please see the documentation for details on adjusting the log levels as this process has slightly changed.
Identity Manager 14.4 Server Logging
For versions prior to 14.4:
For Jboss 6.x / Wildfly 8.2 .x you should use the following location in windows explorer: [Jboss / Wildfly home]\standalone\deployments\iam_im.ear\config\com\netegrity\config
For WebLogic, the location is: \iam_im.ear\config\com\netegrity\config
In this folder is a file called log4j_<applicationserver>.properties, which must be opened with a text editor such as Notepad. Inside the file, there are several categories that can be adjusted, typically for CA Support debugging purposes the following lines will be changed.
Should be changed to
All categories in this document can be adjusted to suit the business needs of the company. They can be set to OFF, WARN, INFO, or DEBUG.
The application server must be reset in order for the changes to take effect.
Alternatively, if logging.jsp has been enabled (see Customize Log Levels using Logging Admin Tool), log4j can be dynamically configured via a browser pointing to the logging.jsp page on the IM application server:
Detailed information about implementing logging.jsp is found under \CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Admin\Readme.txt.
The provisioning server log level controls several different logs including the etatrans, etanotify, sa and satrans logs. The level is adjusted in the Provisioning Manager GUI. The logs are enabled by default, the enable/disable option is located under System > Domain Configuration > Transaction Log > Enable
The level of logging can be adjusted in Provisioning Manager under System > Domain Configuration > Transaction Log > Level.
Below are the log levels and their descriptions.
The change in log level will not take effect until the next time the configuration is re-read (default is every 600 seconds but that can also be configured within the Domain Configuration settings) or until the Provisioning Server service is restarted.
For Broadcom Support debugging purposes logs should be set to level 7. Logs on lower levels are often unhelpful in troubleshooting and determining the root cause of an issue.
The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\logs
*Note that this is the default installation path.
Endpoint logs can be valuable when troubleshooting a specific endpoint issue. These logs are not enabled by default and must be enabled through the Provisioning Manager GUI.
To enable the logs:
In the example below we are showing an Active Directory Endpoint logging tab, however, these steps are true for any other endpoint type too:
If the CCS is located on the Provisioning Server, the log files are located under: \CA\Identity Manager\Provisioning Server\logs\saDDMMYY.log.
Active Directory Endpoints have additional endpoint-specific log files which are located under: \CA\Identity Manager\Provisioning Server\logs\ADS.
If the connector server is a standalone installation the log files are located under: \CA\Identity Manager\Connector Server\ccs\logs\ads.
To set JCS logs to debug:
Java connectors also have their own jcs_conn_<endpoint_name>.log located on the JCS server if the property sheets for those are set to log. See the Endpoint logs (Active Directory and others) section for more details on enabling endpoint-specific JCS logging.
The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Connector Server\jcs\logs
*Note that this is the default installation path
Check Debug an Identity Manager Installation for more details on how to debug different installers.
If you encounter issues during the CA Identity Manager installation, see this log file:
C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\caiamsuite.log
*Note that this is the default installation path
The CA Identity Manager Server installer logs are written to the following default locations:
*Note that these are the default installation paths
The Provisioning installer logs are written to the user's Temp directory and copied to the Install-Directory\_uninst directory
To put these logs into debug:
If you encounter any issues while performing a CA Identity Manager installation, see the caiamsuite.log file in this location:
The CA Identity Manager Server installer logs are written to the following default location:
The Provisioning installer logs are written to the user's Temp directory.
To put these logs into debug use ./setuplinux.bin -log @ALL (some installers require -console)
CA Directory logs: As the user who installed Directory (on Windows) / dsa user (on Linux) run 'dxinfo' and attach the output files. If the logs folder under <dxhome>/logs contains a substantial number of logs, copy old logs to another location before running the above command.
When Identity Manager is integrated with SiteMinder SSO, critical errors are happening on the SiteMinder Policy Server.
To enable policy server trace log:
components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP, IdentityMinder
data: Date, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message, AuthReason, UserDN, ActiveExpr, Query, Property, State, CacheHits, CacheSize, Expression, ResponseTime, AuthStatus, AuthScheme, RequestIPAddr
When Identity Manager and SiteMinder are integrated, we might need to trace the web traffic between these components, including the Web Server in between. We recommend using Fiddler for such tracing:
For IM/SM integration-related problems, we recommend collecting and sharing the following logs/info with Broadcom Support:
If you are not using Provisioning Manager you can still set Provisioning log levels:
Endpoint logs should also be configurable through the endpoint in IDM itself.