There are several locations within Identity Manager where logging levels can be configured, as this product has multiple components. This document will explain how to enable and adjust logging levels for JBoss application server, provisioning server, java connector server, and product installation logs.
Identity Manager 14.x
For version prior to 14.4:
For Jboss 6.x / Wildfly 8.2 .x you should use the following location in windows explorer: [Jboss / Wildfly home]\standalone\deployments\iam_im.ear\config\com\netegrity\config
For WebLogic the location is: \iam_im.ear\config\com\netegrity\config
In this folder is a file called log4j_<applicationserver>.properties, which must be opened with a text editor such as notepad. Inside the file there are several categories that can be adjusted, typically for CA Support debugging purposes the following lines will be changed.log4j.category.ims=WARN
log4j.category.im=WARNShould be changed to
All categories in this document can be adjusted to suit the business needs of the company. They can be set to OFF, WARN, INFO or DEBUG.The application server must be reset in order for the changes to take effect.
Alternatively, if logging.jsp has been enabled, log4j can be dynamically configured via a browser pointing to the logging.jsp page on the IM application server:
http://<im_appServer>:port/iam/im/logging.jsp - This method does not require any restart of the application server - in fact, it is valid only for the current session. The default logging levels will be restored upon application server restart
Where to find the logs:
For Jboss 6.x / Wildfly 8.2.x the log files are located under: [Jboss / Wildfly home]\standalone\logFor WebLogic -- CA Identity Manager information is written to standard out. By default, standard out is the console window in which the server instance is running.
For WebSphere - CA Identity Manager information is written to the console window where the server instance is running, and to <Was_home>\AppServer\profiles\<Profile_Name>\logs\<server_name>\SystemOut.logProvisioning Server:
The provisioning server log level controls several different logs including the etatrans, etanotify, sa and satrans logs. The level is adjusted in the Provisioning Manager GUI.The logs are enabled by default, the enable/disable option is located under System > Domain Configuration > Transaction Log > Enable
The level of logging can be adjusted in Provisioning Manager under System > Domain Configuration > Transaction Log > Level
0: No trans logging1: Log external/child errors
2: Log external operations3: Log child operations
4: Log informative messages5: Log DSA (Directory Service Agent) errors
6: Log DSA operations7: Log search operations
The change in log level will not take effect until the next time the configuration is re-read (default is every 600 seconds but that can also be configured within the Domain Configuration settings) or until the Provisioning Server service is restarted.For CA Support debugging purposes logs should be set to level 7. Logs on lower levels are often unhelpful in troubleshooting and determining root cause of an issue.
The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\logs*Please note that this is the default installation path
Endpoint logs (Active Directory and others):
Endpoint logs can be valuable when troubleshooting a specific endpoint issue. These logs are not enabled by default and must be enabled through the Provisioning Manager GUI.
The logs can be enabled by going to Endpoints > xxxx Endpoint > [your specific endpoint] > Logging tab.
Check the enabled box and all of the boxes next to Text File. This will enable endpoint logging into the file saDDMMYY.log.
In the example below we are showing an Active Directory Endpoint logging tab, however these steps are true for any other endpoint type too:
If the CCS is located on the Provisioning Server, the log files are located under: \CA\Identity Manager\Provisioning Server\logs\saDDMMYY.logActive Directory Endpoints have additional endpoint specific log files which are located under: \CA\Identity Manager\Provisioning Server\logs\ADS
If the connector server is a standalone installation the log files are located under: \CA\Identity Manager\Connector Server\ccs\logs\adsJava Connector Server:
To set JCS logs to debug, go to the following path on your JCS machine: C:\Program Files (x86)\CA\Identity Manager\Connector Server\etc*Please note that this is the default installation path
Make backup copies of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose for when debugging log levels are no longer necessary. Rename org.ops4j.pax.logging.cfg to org.ops4j.pax.logging.cfg.NOT_IN_USE and then rename org.ops4j.pax.logging.cfg.verbose to org.ops4j.pax.logging.cfg. A restart of the JCS is needed after changing the configuration files.Once the necessary logs are generated you can change back the names of org.ops4j.pax.logging.cfg and org.ops4j.pax.logging.cfg.verbose, or revert to the backup copies of the files. It is recommended that the JCS logs do not remain in debugging mode during normal use, as this logging level can impact performance.
Java connectors also have their own jcs_conn_<endpoint_name>.log located on the JCS server if the property sheets for those are set to log. Soee the ADS endpoint logging section for more details on enabling endpoint specific JCS logging.The log files are located under: C:\Program Files (x86)\CA\Identity Manager\Connector Server\jcs\logs
*Please note that this is the default installation path
Windows installations:If you encounter issues during CA Identity Manager installation, see this log file:
C:\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\caiamsuite.log*Please note that this is the default installation path
The CA Identity Manager Server installer logs are written to the following default locations:C:\Program Files\CA\Identity Manager\install_config_info (32-bit system)
C:\Program Files (x86)\CA\Identity Manager\install_config_info (64-bit system)*Please note that these the default installation paths
The Provisioning installer logs are written to the user's Temp directory and copied to the Install-Directory\_uninst directoryTo put these logs into debug, run the installer from command line and while Installshield is loading the installer press and hold the control(Ctrl) button until it completes at 100%.
Linux Installations:If you encounter any issues while performing a CA Identity Manager installation, see the caiamsuite.log file in this location:
/opt/CA/IdentityManager/The CA Identity Manager Server installer logs are written to the following default location:
/opt/CA/IdentityManager/install_config_infoThe Provisioning installer logs are written to the user's Temp directory.
To put these logs into debug use ./setuplinux.bin -log @ALL (some installers require -console)CA Directory logs:As the user who installed Directory (on Windows) / dsa user (on Linux) run 'dxinfo' and attach the output files. If the logs folder under <dxhome>/logs contain a substantial number of logs, copy old logs to another location before running the above command
SiteMinder integration logs:When Identity Manager is integrated with SiteMinder SSO, the critical errors are happening on the SiteMinder Policy Server.
To enable policy server trace log:
- Log onto the policy server with user who owns the process.
- Open Siteminder Management Console
- Select Logs tab - Tick "Enable Profiling" checkbox
Policy server trace log is now enabled
In order to edit the policy server trace config file to log necessary details:
- while still on the policy server machine under the same user, back up the existing smtracedefault.txt file under <policy server path>/config/.
- copy and paste the below setting to the file, overwriting the existing content:
components: Server/Connection_Management, Server/Policy_Server_General, IsProtected, Login_Logout/Function_Begin_End, Login_Logout/Authentication, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Connection_Management, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP, IdentityMinder
data: Date, Time, Pid, Tid, SrcFile, Function, TransactionID, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, AgentType, Rule, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, Data, Message, AuthReason, UserDN, ActiveExpr, Query, Property, State, CacheHits, CacheSize, Expression, ResponseTime, AuthStatus, AuthScheme, RequestIPAddr
Make sure there are only two lines, one starting with "component" and one with "data"
- Save the file.
- Reset the policy server trace log by restarting SiteMinder Policy Server service
Web traces / logs:When Identity Manager and SiteMinder are integrated, we might need to trace the web traffic between these components, including the Web Server in between. We recommend using Fiddler for such tracing:
- Download and install Fiddler on the workstation where you access the Identity Manager Environment (IME) URL:
- Clear the current urls in the Fiddler and re-produce the issue.- Save the http trace as .saz extension
For IM/SM integration related problems, we recommend collecting and sharing the following logs / info with CA Support:- smtracedefault.log
- IM server log
- fiddler trace log (.saz)
- username that experiences the problem
- timeframe when the problem happens.
If you are not using Provisioning Manager you can still set Provsioning log levels:
Use a LDAP browser such as JXplorer to connect to Provisioning Store on port 20389
Under eTConfigParamName=Level,eTConfigParamFolderName=Transaction Log,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects,dc=im,dc=eta
change ConfigParamValue to 7