When working with Support or when investigating issues, it may be necessary to gather logging from certain components in order to diagnose a root cause.
Please review the below solutions for instructions on gathering these logs.
Active Roles service verbose/debug Logs (a.k.a DS Logs)
Directory Service or 'Verbose' logs provide detailed logging information which can be enabled in order to help track down an issue within the core service of the product. This log is helpful when trying to isolate why ActiveRoles is exhibiting unexpected behavior in certain environments (eg. the service is not responsive or busy, 100% CPU utilization, or intermittent errors in the Active Roles Admin Service event log).
This log can be used to diagnose: Policy violation errors, Active Roles service problems, latency problems, as well as many other issues. Please be careful when enabling this log for extended periods of time (more than 24 hours) because it can rapidly fill up disk space to the point where it takes up the entire hard drive space. It is not unusual for DS logging to create 10-20 gigabytes of log files per day.
NOTE: With DS logs enabled, Active Roles will experience a slight performance impact compared to having no logging enabled. This is due to the fact that Active Roles is writing all core functions to disk in real-time, and will be therefore slower to respond to client requests and operations. This is by design. Because of this performance impact as well as the size of the log files, verbose logging should only be enabled while actively troubleshooting a reproducible issue.
How to gather DS logging for ActiveRoles Server
ADSI Provider Logs
Active Roles communicates with Active Directory using the Microsoft ADSI Provider interface. Anytime a scripted policy or script executes, it runs against the ADSI Provider. Typically the amount of data logged by the ADSI Provider is not as large as the DS log, but if left enabled for extended periods of time it can still consume a significant portion of disk space. As with the DS logs, if you enable this log it can potentially cause a performance impact on the service as it will be writing debug information to disk whenever the ADSI Provider interface is used.
How to gather ADSI logging for ActiveRoles Server
Management Shell Logs
The Active Roles Management Shell is a PowerShell module that runs from any Windows client. It requires the ADSI Provider, it is best to enable this logging as well when reviewing any issues which are specific to the Management Shell,
HOW TO: Enable logging for the Active Roles Management Shell
Console Logs
The Console (MMC) logs are a simple set of logs that provide logging on the console interface. They can be used to troubleshoot client-specific issues which affect only the Console (eg. objects not visible in Console or errors which are not noted in the Web Interface). This log is rarely requested by Support due to the limited amount of information that can be gathered from it.
How to gather MMC logging for ActiveRoles Server
Collector Logs
The Active Roles Collector is a program that is used to gather event logs or changes to the information in Active Directory objects, and general runtime information on a scheduled basis, for reporting purposes. Enabling this log may slow down the Collector process and lengthen the amount of time required for the Collector task to finish, so use this only when absolutely needed. Types of issues that can be diagnosed with the logs would be an inability to run reports on certain objects (eg. users missing), Collector task startup failure, etc.
How to gather Collector logging for ActiveRoles Server
Configuration Transfer Wizard Logs
When troubleshooting this component, the only logs which are needed are the ADSI Provider logs because the Configuration Transfer Wizard relies on this interface to communicate with Active Roles.
The Configuration Transfer Wizard is a program that is used to copy configuration data from a source Active Roles instance and place it into a destination Active Roles instance. One example is Migrating data from a test lab into production.
A 'Trace Output' file may be viewed or copied by selecting 'View Log' when the Collection or Deployment wizard completes.
How to gather the Configuration Transfer Wizard log
Active Roles Admin Service Event Logs
The most frequently requested log files, typically exported as .EVT or EVTX files. They are absolutely vital when performing basic Active Roles troubleshooting - for example, policy violation errors, service startup errors, or other Active Roles service problems. There is no need to enable any extra logging as the Active Roles service automatically writes this information to its event log.
How to gather Active Roles Admin Event logging for ActiveRoles Server
Active Roles Web Interface Logs
Whenever you encounter an error in the web interface of Active Roles (admin site, self-service, or helpdesk), this type of log can help you narrow down why the issue is appearing. While not as large as the DS logs in terms of disk space demands, it still logs information that may not be present in the ADSI Provider, DS, or event log. The idea of gathering these logs is to only enable the logs during the moment of time you reproduced the error - that way no extensive or unrelated debug information is logged to the file.
How to gather Web Interface logging for Active Roles version 6.x
How to gather Web Interface logging for Active Roles version 7.x and later
Web Interface Site Configuration Wizard
This component is used to manage Web Interface Sites. It has no separate logging and instead will tie into the general logging of the Web Interface component (see previous).
Quick Connect 5.x debug Logs
Whenever an error is encountered in Quick Connect, you should enable the debug logs for the Quick Connect service. Please note that when you enable these logs it will slow down the response of Quick Connect and may cause your workflows to take longer to execute/run. This is normal behavior because Quick Connect will be writing debug information to a log file. Quick Connect will also post to an event log which may show useful information.
Enable Quick Connect Sync Engine and Quick Connect Console Logging
Synchronization Service Logs
The Synchronization Service is the replacement for Quick Connect.
To enable logging in Synchronization Service:
Additionally, the Synchronization Service will write events to the Active Roles Synchronization Service event log.
Management History Transfer Wizard Logs
This utility has simple logging which it posts to the Windows temporary directory. This directory can be found by choosing Run | %temp%
Active Roles 7.x Configuration Center
This component will post logs to C:\ProgramData\One Identity\Active Roles\Logs\Configuration Center
These logs can assist with issues encountered when importing Configuration or Management History objects using the Configuration Center.
Last Notes / Summary
Generally, when troubleshooting issues in ActiveRoles Server, the following logs would be useful:
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center