Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.3 - Process Monitoring and Troubleshooting Guide

About this guide Monitoring handling of processes Support for error localization in One Identity Manager Configuring logs in One Identity Manager

Logging information about OAuth 2.0/OpenID Connect authentication

To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

To log authentication data

  • In the Designer, set the QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter.

Configuring One Identity Manager component logging with NLog

In the One Identity Manager default installation, the log files are written to the %LocalAppData%\One Identity\One Identity Manager\<appName> under the name <appName>.log directory, where appName is the name of the One Identity Manager component.

Example: %LocalAppData%\One Identity\One Identity Manager\Manager\Manager.log

All messages with a minimum information level of Info are recorded in the <appName>.log file. The files are kept for 7 days and backed up daily.

In addition, all messages with a severity level of Fatal are recorded in the event log for the One Identity One Identity Manager <appName> source.

NOTE: The default settings for the configuration require write permissions for the %localappdata% directory. If a One Identity Manager component (*.exe) does not have the required permissions, change the logBaseDir variable in the nlog.config configuration file to write the log to a directory for which the permissions exist.

Structure of the nlog.config configuration file

The configuration settings for logging messages using NLog are made in the nlog.config configuration file. For an exact description and functionality of NLog, see the online help (http://nlog-project.org/). The nlog.config settings are globally valid for all One Identity Manager components.

Use variables to define the general names, output path, and the severity levels to be recorded in the log files and the event log in the configuration file.

Table 15: General variables for configuring logging

Variable

Description

appName

Application name of the One Identity Manager component. If it is not possible to determine the application name, IdentityManager is used.

logBaseDir

Output path for the component's log files.

Default: %LocalAppData%\One Identity\One Identity Manager\<appName>

logFileLevel

Severity level of messages to write to the log file.

Default: Info

eventLogLevel

Severity level of the messages that are written to the event log.

Default: Fatal

The output targets for messages and the settings for storing and archiving log files are defined in the targets section. NLog already has predefined targets that you can use in the configuration file.

Table 16: Output targets for logging

Target Name

Description

logfile

Name and settings of the general log file of a One Identity Manager component.

Default settings:

Name: <appName>.log

Storage: 7 days

Archived: daily

debug

Name and settings of the log file for recording debug messages.

Default settings:

Name: /debug/<appName>.log

Storage: 7 days

Archived: daily

sqllogfile

Name and settings of the log file for recording database queries.

Default settings:

Name: <appName>_sql.log

Storage: 7 days

Archived: daily

objectlogfile

Name and settings of the log file for recording object actions over the object layer.

Default settings:

Name: <appName>_object.log

Storage: 7 days

Archived: daily

jobgenlogfile

Name and settings of the log file for recording during process generation.

Default settings:

Name: <appName>_jobgen.log

Storage: 7 days

Archived: daily

The rules section is used to define rules for logging the messages. The logger name is used to define which components are logged. Messages are logged for all components with the default setting logger name="*". To limit logs to certain components, use the name contained in the log.

Table 17: Logger names of components
Logger name Description

FrontendLog

Logs actions in front-ends.

JobGenLog

Logs during process generation.

Jobservice

Logs One Identity Manager Service messages.

ObjectLog

Logs object actions through the object level.

ProjectorEngine

Logs messages from the synchronization engine.

SqlLog

Logs database queries

StopWatch

Logs timings.

SystemConnection

Detailed logging of data communication with the system connection during synchronization, including system configuration and system connectors' data communication.

SystemConnector

Logs system connector data communication during synchronization.

Update

Logs update handling.

WebLog

Logs Web service actions.

DebugLogObserver

Logs performance data from the synchronization engine.

You can enter the severity level through:

  • minlevel: Messages above this severity level are logged. The LogFileLevel variable can overwrite the severity level in a custom configuration file.

  • level: Messages with exactly this severity level are logged. The eventLogLevel variable can overwrite the severity level in a custom configuration file.

Table 18: Permitted severity levels
Severity Level Description

Trace

Logs highly detailed information. This setting should only be used for analysis purposes. The log file quickly becomes large and cumbersome.

Debug

Logs debug steps. This setting should only be used for testing.

Info

Logs all information.

Warning

Logs all warnings.

Error

Logs all error messages.

Fatal

Logs all critical error messages.

The following files are defined for custom extensions.

<include file="${basedir}/custom-log-variables.config" ignoreErrors="true"/>

<include file="${basedir}/custom-log-targets.config" ignoreErrors="true"/>

Configuring One Identity Manager Service logging

Success and error messages from process handling are written to the One Identity Manager Service log file. Messages can also be written to a server’s event log. A severity level can be configured for output to this log file.

You can create most of the settings in the One Identity Manager Service configuration file. Use the Job Service Configuration program to do this. For more information about working with Job Service Configuration and configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

Detailed information about this topic

Prerequisites for displaying the One Identity Manager Service log file

The One Identity Manager Service log files can be displayed using a HTTP server (http://<server name>:<port number>).

  • Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

    netsh http add urlacl url=http://*:<port number>/ user=<domain>\<user name>

    If the One Identity Manager Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

    netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

    You can check the result with the following command line call:

    netsh http show urlacl

To display the One Identity Manager Service log file, configure the following modules in the One Identity Manager Service configuration file:

  • FileLogWriter module

    Create the log file settings in this module.

  • Configuration module

    Configure the port for displaying the services. The default value is port 1880.

  • HTTP authentication module

    Set up an authentication method to display the log file.

For more information about configuring the One Identity Manager Service, see the One Identity Manager Configuration Guide.

Detailed information about this topic
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione