Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Data Governance Edition logs

The first place to look when you run into an issue with Data Governance Edition is the logs. The Data Governance Edition logs available are:

Data Governance configuration wizard log

Log name: Data Governance Configuration Wizard.exe.dlog

The Data Governance configuration wizard log is stored as a Trace log document (dlog) in the users AppData directory. For example: C:\Users\MyName.MyDomain\AppData\Local\One Identity\One Identity Manager\Data Governance Configuration Wizard\.

Used for capturing errors encountered while using the Data Governance Configuration wizard to deploy the Data Governance service and create the Resource Activity database.

Data Governance server log

Log name: DataGovernanceEdition.Service.exe.dlog

NOTE: The Data Governance server maintains rolling log files based on settings found in the DataGovernanceEdition.Service.exe.config file, therefore there may be multiple server log files in the Data Governance service installation directory. The first log file is the active log and is being maintained by the server. When this log file reaches a specified size, it is renamed (a number is appended to the name) and a new file is started with the original name.

NOTE: By default, the logging level is set to INFO. To change the logging level to get detailed logging:

  1. Locate the DataGovernanceEdition.Service.exe.config file in the Data Governance service installation directory.
  2. Open the configuration file and edit the following setting:

    <rules>

    <logger name="*" minlevel="INFO" writeTo="logfile">

  3. Change INFO to DEBUG to get detailed logging.
  4. Save the file.

The server log is stored as a Trace log document (.dlog) in the Data Governance service installation directory. For example: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server\.

Used for capturing the following information:

  • Data Governance service communication
  • Group resolution and group expansion
  • Agent lease expiration information
  • Points Of Interest (POI) collection information
  • Resource activity updates
  • Security changes made on a resource from the Manager
  • Incoming web service calls related to Data Governance Edition from the One Identity Manager web site

NOTE: In previous versions of Data Governance Edition, individual server log files were generated. Starting with Data Governance Edition version 7.0.2, the logging information from all of these server logs are now available in this single server log file.

Server logs can be viewed as described below:

  • In the Manager, use the Get All Logs task to export the server log to a specified location. From that location, double-click the log file to view the log in the Log Viewer. For more information, see Getting server logs.
  • From the Data Governance service machine, double-click the log file or right-click and select Open to view the log in the Log Viewer.
Applications and Services event logs

Severity error level events and audit events are written to the Applications and Services event logs on the Data Governance server under the "Data Governance" node.

  • Severity error level errors have a "Source" of "Data Governance Edition".
  • Audit events contain information on operations run by the server (such as security changes) and have a "Source" of "Data Governance Audit".
Data Governance agent deployment logs

Log name: <Agent name>_Agent.log

The agent deployment logs are stored as text files in the Agent Deployment Logs folder in the Data Governance service installation directory. For example: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server\Agent Deployment Logs\.

Used for capturing the agent deployment process for each individual agent. There is a separate agent deployment log for each agent installed in your Data Governance Edition deployment.

Agent deployment logs can be viewed as described below:

  • In the Manager, use the Get All Logs task to export the agent deployment logs to a specified location. From that location, double-click the log file to view the log. For more information, see Getting server logs.
  • From the Data Governance service machine, double-click the log file or right-click and select Open to view the log.
Data Governance agent logs

Log name: DataGovernance.Agent.exe.dlog

NOTE: By default, the logging level is set to INFO. To change the logging level to get detailed logging:

  1. Locate the agent's dlog.config file on the host computer in the agent installation directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\<Agent instance directory>\dlog.config).
  2. Open the configuration file and edit the following setting:

    <rules>

    <logger name="*" minlevel="INFO" writeTo="logfile">

  3. Change INFO to DEBUG to get detailed logging.
  4. Save the file.

    No agent restart is required.

An agent log is stored as a Trace log document (.dlog) in a subfolder on the host computer in the agent installation folder. For example:

%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DGE_<DeploymentName>_<HostDnsName>\.

Used for logging communications, synchronization processes and data transfers between the Data Governance server and the agent.

Agent logs can be viewed as described below:

  • From the Manager, use the Export agent log task to export the selected agent log to a specified location. From that location, double-click the log file to view the log in the Log Viewer. For more information, see Exporting agent log.
  • From the agent machine, double-click the log file or right-click and select Open to view the log in the Log Viewer.
Web client logs

The Web client log files are located in the following directory: C:\inetpub\wwwroot\IdentityManager\App_Data\Logs.

This directory contains a series of log files all named with a time stamp.

Errors encountered with the web client IT Shop are recorded to the web client logs.

The best way to get the proper log is to replicate the issue and take the file with the greatest timestamp.

Job server logs

The default URL for a Job Server log is: http://JobServerHost:1880/Log

Often when you have errors with Active Directory synchronization or report execution you can find clues in the One Identity Manager Job Server logs. In addition, errors encountered with the process chains used to process resource access requests in the IT Shop are recorded in the Job Server logs.

With a default configuration, you can browse these logs by launching a web browser and navigating to a specific URL on the computer hosting the Job Server.

Manager client log

Log name: QAM.Client.Log.dlog

If experiencing issues with Data Governance Edition inside the Manager client, enable the Data Governance Edition client side logging to determine if the issue is related to the user interface rather than the Data Governance server.

NOTE: By default, the logging level is set to INFO. To change the logging level to get detailed logging:

  1. Locate the Data Governance Edition client log configuration file (%ProgramFiles%\One Identity\One Identity Manager\QAM.Client.Log.config).
  2. Open the configuration file and edit the following setting:

    <rules>

    <logger name="*" minlevel="INFO" writeTo="logfile">

  3. Change INFO to DEBUG to get detailed logging.
  4. Save the file.

The Manager client log files are located in the user profile directory:

C:\Users\<Your User Name>\AppData\Local\One Identity\One Identity Manager\Manager

NOTE: To enable the latest LogView logging for the Manager client, modify the Manager configuration file (%ProgramFiles%\One Identity\One Identity Manager\Manager.exe.config) as follows:

Comment out the following:

<include file="${basedir}/globallog.config" ignoreErrors="true"/>

Add the following:

<include file="${basedir}/QAM.Client.Log.config" ignoreErrors="true"/>

Getting server logs

From the Managed hosts view in the Manager you can export the server logs to a location of your choosing. The log files are exported through a background operation and will exist once the background operation has completed. The export operation can be viewed in the Background operations view.

NOTE: Server logs retrieved using the Get All Logs task consist of the DataGovernanceEdition.Service.exe.dlog file and associated agent deployment logs.

To get server logs

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select Get All Logs from the Tasks view or right-click menu.
  3. On the Browse for folder dialog, select the location where the exported logs are to be stored.

    A compressed zip file is created in the specified location. Clicking this zip file displays the Data Governance service log and an Agent Deployment Logs folder, which contains a log file for each agent deployed.

  4. Double-click the Data Governance service dlog file to launch the log viewer to view the service's log.
  5. Double-click an agent deployment log file to launch Notepad to view the agent's deployment log.

Exporting agent log

From the Agents view in the Manager, you can export the agent log for the selected agents to a location of your choosing. The log files are exported through a background operation and will exist once the background operation has completed. The export operation can be viewed in the Background operations view.

To export an agent log

  1. In the Navigation view, select Data Governance |Agents.
  2. In the Agents view (right pane), select the required agent(s).
  3. Select Export agent log from the Tasks view or right-click menu.
  4. On the Browse for folder dialog, select the location where the exported logs are to be stored.

    A compressed zip file is created in the location specified. Clicking this zip file displays a trace log document for the selected agent(s).

  5. Double-click the dlog file to launch the log viewer to view an agent's log entries.

No activity data

When you run a Resource Activity, Account Activity, or Perceived Owner report, you may not immediately see an action in the report that you know you have performed.

Probable cause
  • There is lag time between when an action occurs, such as a file read or write, and when the data is sent from the agent to the server. This delay is dependent upon the following:
    • The aggregation setting on the Resource Activity page of the Managed Host Settings dialog
    • The update schedule. By default, resource activity is synchronized into the One Identity Manager database, once a day, after the first initial synchronization. The initial synchronization happens a few minutes after resource activity collection is enabled. This update schedule is controlled by a Data Governance server configuration setting (PerceivedOwnershipCalcUpdateRefreshIntervalMinutes). See the One Identity Manager Data Governance Edition Technical Insight Guide for more information on this configuration file setting.
    • Various internal processes.
  • It is possible that you did not have resource activity collection enabled for that managed path during the time span covered in the report.
  • If you have enabled resource activity collection, it is possible you have excluded some accounts, files or folders where the activity occurred.
  • If Quest Change Auditor is installed and you are collecting resource activity directly from Change Auditor, Change Auditor may not be capturing the events you are expecting.
Resolution
  • Verify the managed host type. Resource activity collection is only available for local managed Windows servers, SharePoint farms, and supported NetApp and EMC managed hosts.
  • Use the Edit Host Settings task from the Managed hosts view to verify that the required paths are being managed:
    • Open the Managed Paths page of the Managed Host Settings dialog. Are the required managed paths listed?
  • Use the Edit Host Settings task from the Managed hosts view to verify that resource activity collection is enabled:
    • Open the Resource Activity page of the Managed Host Settings dialog.
      • Is the Collect and aggregate events option selected?

      • Are the required events selected?
  • Verify the accounts, files or folders that are being tracked

    • Click the Resource Activity Exclusions button on the Resource Activity page of the Managed Host Settings dialog.
    • Check each tab to see what objects are being excluded.
  • Collaborate with the Change Auditor administrator to determine what data Change Auditor is collecting.
Related Documents