Configuring the EventLogLogWriter for logging
The EventLogLogWriter writes messages from the One Identity Manager Service to an event log. To view the event log, you can use the results display in the Microsoft Management Console, for example.
You configure the EventLogLogWriter in the LogWriter module.
Table 69: EventLogLogWriter parameters
|
EventID |
The ID of the messages written to the event log. |
|
EventLog |
Name of the event log to which the messages are written. The messages are written to the application log with Application as the default value.
NOTE: If more than one One Identity Manager Service write event logs on a server, make sure that the first eight letters in the log name are unique on the server. |
|
Category |
The category of the messages written to the event log. |
|
Source |
The name of the source of the messages written to the event log. |
|
LogSeverity |
Severity levels of the logged messages.
Permitted values are:
-
Info: All messages are written to the event log. The event log quickly becomes large and confusing.
-
Warning: Only warnings and exception errors are written to the event log (default).
-
Serious: Only exception messages are written to the event log. |
By default, the One Identity Manager Service only logs messages in the event log Application.
To use an event log with a different name
-
On the Job server, manually add the file for theOne Identity Manager Service to write to. You can use PowerShell, for example, to do this.
-
Run PowerShell as administrator on the Job server.
-
Run the following CmdLet:
New-EventLog -Source "Foobar" -LogName "<file name>"
-
Enter this file name in the One Identity Manager Service configuration file, in the module EventLogWriter as the name for the event log.
-
Restart the computer.
-
Restart the One Identity Manager Service.
Configuring the One Identity Manager Service as a proxy server
In a hierarchical server structure a server can be used as a proxy server for other servers. The proxy server makes requests at set time intervals for process steps to be processed on a server and sends them to the next server. If the request load needs to be minimized, a proxy server is recommended.
This is configured in the Dispatcher module.
Table 70: Dispatcher module parameters
|
Acts as proxy for other servers (IsProxy) |
Specifies whether the server is to act as a proxy server. Set this option if the server should be a proxy server. |
|
ProxyInterval |
Time interval in seconds, after which the proxy server acting as deputy for another server, should renew a request to the database. |
The following guidelines can be used as orientation for the configuration of One Identity Manager Service polling intervals in a cascading environment:
Table 71: Polling interval guidelines for One Identity Manager Service
|
JobServiceDestination.StartInterval |
90 seconds |
600 seconds |
|
JobServiceDestination.Statisticinterval |
360 seconds |
600 seconds |
|
Dispatcher.ProxyInterval |
180 seconds |
|
|
Dispatcher.IsProxy |
True |
False |
The proxy mode of a root server ensures that, acting on behalf of the leaf server, process steps are queried in shorter proxy intervals. When the root server is restarted, it may take a while until all leaf servers have sent their first request (in this case a maximum of 600 seconds). However, the system then swings into action.
Figure 14: Dispatcher configuration example
Configuration settings for One Identity Manager Service behavior
In the Connection module, you can make special configuration settings for the behavior of One Identity Manager Service.
Table 72: Connection module parameters
|
Log BLOB reads (LogBlobReads) |
Specifies whether read operations on text and binary LOB (BLOB) should be written to the SQL log. |
|
Cache type (CacheType) |
Specifies how the data is cached. The default value is MultipleFiles. |
|
Connect directly without availability check (DirectConnection) |
Specifies whether to connect directly to the target database without testing availability or status first. This allows tools that do not allow database switching within the connection, to trace the connection.
NOTE: This option can affect migration because the connection is always open. |
|
TokenCertificateThumbprint |
Thumbprint of the certificate used to verify the security token. |
|
Max. parallel queries (MaxParallelQueries) |
Maximum number of database queries that can be carried out in parallel. The default value is 4. |
|
Maximum write delay in clusters (MaxWriteDelay) |
Maximum latency after which the write operations must have arrived at all nodes in the cluster. Input in seconds. The default value is 10 seconds. |
|
Cache reload interval (CacheReloadInterval) |
Time in seconds after which the local cache should be updated. This parameter overwrites the setting in the Common | CacheReload | Interval configuration parameter. |
|
Disable reload beep (NoReloadBeep) |
When this parameter is set the beep is switched off that is made when buffered dialog data is loaded. |
|
Regular expression for stack trace positions (ObjectDumpStackExpression) |
This expression specifies when an extra stack trace is written to the object log. If the current row in the object log matches the regular expression, the stack trace is written in the object log.
Example: "Lastname"
If the current row contains the value "Lastname", the stack trace is also copied to the log.
NOTE: This parameter is used for localizing errors. It is not recommended to set this parameter in normal working conditions on performance grounds. |
|
Trusted source key (TrustedSourceKey) |
Key that allows trusted access to the system. |
|
Check validity of session certificates (CheckSessionCertificate) |
Specifies whether to check the validity of the session certificate. |
|
Do not check session certificate for recalls (DoNotCheckSessionCertificate) |
Specifies whether to check if session certificates have been recalled. Enable this option if they should not be tested. |
|
TokenCertificateFile |
Certificate file of the certificate to be used to verify the security token. The certificate must support RSA encryption with SHA1, SHA256, or SHA512 and contain the private key. |
|
Supports read-only replicas in Azure (SupportReadScaleOut) |
Specifies whether a second pool for read-only queries is supported in Azure. If the option is set, read-only queries are supported This feature is available in Azure's Premium and Business Critical tiers. For more information, see https://docs.microsoft.com/en-us/azure/azure-sql/database/read-scale-out. |
|
Process generation log directory (JobGenLogDir) |
Directory of log files in which the instructions for process generation generated by One Identity Manager Service are recorded. |
Configuring HTTP authentication
Every One Identity Manager Service automatically works as an HTTP server. Which services the One Identity Manager Service provides depends on the plugins configurations. Use this module to specify how authentication works on an HTTP server so that other services can be accessed, for example, displaying the log file or the status display.
The following module types may be selected:
-
BasicHttpAuthentication
Use this authentication type to specify a user account for accessing the HTTP server.
Module parameters are:
-
SessionHttpAuthentication
Users can log in with the authentication modules that are assigned to the Job Server application and enabled.
The users require the JobServer_Status program function.
Table 73: Module parameters
|
Job provider ID (ProviderID) |
ID of the Job provider with the connection configuration to use for logging in. This must be either a MSSQLJobProvider or an AppServerJobProvider. If this is empty the first Job provider is used. |
|
Application URL (AppURL) |
(Optional) This option is only required if the users can log in with OAuth2 or OpenID Connect. The URL must match the value in the QBMWebApplication.BaseURL column. A OAuth2/OpenID Connect configuration is assigned to the web application.
The following URL must be given in the configuration and the connected external system as the redirect URL.
https://<jobserver>:<port>/login |
|
Cleanup after inactivity (RemoveSessionAfterInactivity) |
Specifies the time period after which the session is removed from memory. The next time the session is accessed, it is reestablished transparently for the user. The default value is 00:10:00.
Timeout format:
hours:minutes:seconds |
|
Session timeout (SessionTimeout) |
Specifies how long a session stays connected. After timeout expired or when the Job server is restarted, the session is ended. The default value is 1.00:00:30.
Timeout format:
day.hour:minutes:seconds |
For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.
-
WindowsHttpAuthentication
Use this authentication type to specify an Active Directory group, whose users can be authenticated on the HTTP server.
Module parameters are:
-
Group (Role): Active Directory group. A security ID (SID) or the Active Directory group name in the domain of the Job server can be specified. If the Active Directory group is not located in the domain of the Job server, the SID must be used.
-
Debug login errors (DebugLoginErrors): (Optional) User account properties and groups are written to the log file to debug login problems. Do not set this value in production environments as group assignments can be written to the log.
NOTE: If a module is not specified, authentication is not required. In this case, all users can access the services.
