When working with Support or when investigating issues, it may be necessary to gather logging from certain components in order to diagnose the root cause.
Please review the below solutions for instructions on gathering these logs.
Active Roles service verbose/debug Logs (a.k.a DS Logs)
Directory Service or 'Verbose' logs provide detailed logging information which can be enabled in order to help track down an issue within the core service of the product. This log is helpful when trying to isolate why ActiveRoles is exhibiting unexpected behavior in certain environments (eg. the service is not responsive or busy, 100% CPU utilization, or intermittent errors in the Active Roles Admin Service event log).
This log can be used to diagnose: Policy violation errors, Active Roles service problems, or latency problems, as well as many other issues. Please be careful when enabling this log for extended periods of time (more than 24 hours) because it can rapidly fill up disk space to the point where it takes up the entire hard drive space. It is not unusual for DS logging to create 10-20 gigabytes of log files per day.
NOTE: With DS logs enabled, Active Roles will experience a slight performance impact compared to having no logging enabled. This is due to the fact that Active Roles is writing all core functions to disk in real time, and will be therefore slower to respond to client requests and operations. This is by design.
ADSI Provider Logs
Active Roles communicates with Active Directory using the Microsoft ADSI Provider interface. Anytime a scripted policy or script executes, it runs against the ADSI Provider. Typically the amount of data logged by the ADSI Provider is not as large as the DS log, but if left enabled for extended periods of time it can still consume a significant portion of disk space. As with the DS logs, if you enable this log it can potentially cause a performance impact on the service as it will be writing debug information to disk whenever the ADSI Provider interface is used.
The MMC logs are a simple set of logs which provide logging on the console interface. They can be used to troubleshoot client-specific issues which affect only the MMC (eg. objects not visible in MMC or random errors which are not noted in the Web Interface). This log is rarely requested by Support due to the limited amount of information that can be gathered from it.
The Active Roles Collector is a program which is used to gather event logs, changed information on Active Directory objects, and general runtime information on a scheduled basis, for reporting purposes. Enabling this log may slow down the Collector process and lengthen the amount of time required for the Collector task to finish, so use this only when absolutely needed. Types of issues which can be diagnosed with the logs would be: an inability to run reports on certain objects (eg. users missing), Collector task startup failure, etc.
Configuration Transfer Wizard Logs
When troubleshooting this component, the only logs which are needed are the ADSI Provider logs because the Configuration Transfer Wizard relies on this interface to communicate with Active Roles.
The Configuration Transfer Wizard is a program which is used to copy configuration data from a source Active Roles instance and place it into a destination Active Roles instance. One example is Migrating data from a test lab into production.
A 'Trace Output' file may be viewed or copied by selecting 'View Log' when the Collection or Deployment wizard completes.
Active Roles Admin Service Event Logs
The most frequently requested log files, typically exported as .EVT or EVTX files. They are absolutely vital when performing basic Active Roles troubleshooting - example, policy violation errors, service startup errors, or other Active Roles service problems. There is no need to enable any extra logging as the Active Roles service automatically writes this information to its event log.
Active Roles Web Interface Logs
Whenever you encounter an error in the web interface of Active Roles (admin site, self-service, or helpdesk), this type of log can help you narrow down why the issue is appearing. While not as large as the DS logs in terms of disk space demands, it still logs information that may not be present in the ADSI Provider, DS, or event log. The idea of gathering these logs is to only enable the logs during the moment of time you reproduced the error - that way no extra / useless debug information is logged to the file.
Web Interface Site Configuration Wizard
This component is use to manage Web Interface Sites. It has no separate logging, and instead will tie into general logging of the Web Interface component (see previous).Quick Connect 5.x debug Logs
Whenever an error is encountered in Quick Connect, you should enable the debug logs for the Quick Connect service. Please note that when you enable these logs it will slow down the response of Quick Connect and may cause your workflows to take longer to execute/run. This is normal behavior, because Quick Connect will be writing debug information to a log file. Quick Connect will also post to an event log which may show useful information.
Synchronization Service Logs
The Synchronization Service is the replacement for Quick Connect.
To enable logging in Synchronization Service:
Additionally, the Synchronization Service will write events to the Active Roles Synchronization Service event log.
Management History Transfer Wizard Logs
This utility has simple logging which it posts to the Windows temporary directory. This directory can be found by choosing Run | %temp%
Active Roles 7.x Configuration Center
This component will post logs to C:\ProgramData\One Identity\Active Roles\Logs\Configuration Center
These logs can assist with issues encountered when importing Configuration or Management History objects using the Configuration Center.
Last Notes / Summary
Generally, when troubleshooting issues in ActiveRoles Server, the following logs would be useful: