OpenSSO Enterprise Logs

There are two different types of service log files: access and error. Access log files may contain records of action attempts and successful results. Error log files record errors that occur within the OpenSSO Enterprise services. Flat log files are appended with the .error or .access extension. Database column names end with _ERROR or _ACCESS for an Oracle database, or _error or _access for MySQL databases. For example, a flat file logging console events is named amConsole.access, while a database column logging the same events is named AMCONSOLE_ACCESS. The following sections describe the log files recorded by the Logging Service.

• Session Logs

• Console Logs

• Authentication Logs

• Federation Logs

• Policy Logs

• Agent Logs

• SAML Logs

• ssoadm Logs

Session Logs

The Logging Service records the following events for the Session Service:

• Login

• Logout

• Session Idle TimeOut

• Session Max TimeOut

• Failed To Login

• Session Reactivation

• Session Destroy

The session logs are prefixed with amSSO.

Console Logs

The OpenSSO Enterprise console logs record the creation, deletion, and modification of identity-related entities, policies, and services including, among others, realms, users, policies, and groups. It also records modifications of user attributes including passwords and the addition of users to or removal from groups. Additionally, the console logs record delegation and data store activities. The console logs are prefixed with amConsole.

Authentication Logs

Authentication component logs user logins and logouts. The authentication logs are prefixed with amAuthentication.

Federation Logs

The Federation component logs federation-related events including, but not limited to, the creation of a circle of trust and the creation of a Hosted Provider. The federation logs are prefixed with amFederation.

Policy Logs

The Policy component records policy-related events including, but not limited to, policy administration (policy creation, deletion and modification) and policy evaluation. The policy logs are prefixed with amPolicy.

Agent Logs

The policy agent logs are responsible for logging exceptions regarding log resources that were either allowed or denied to a user. The agent logs are prefixed with amAgent. amAgent logs reside on the agent server only. Agent events are logged on the OpenSSO Enterprise server in the Authentication Logs. For more information on this function, see the documentation for the policy agent in question.

SAML Logs

The SAML component records SAML-related events including, but not limited to, assertion and artifact creation or removal, response and request details, and SOAP errors. The session logs are prefixed with amSAML.

ssoadm Logs

The ssoadm logs record events that occur during operations using the ssoadm command line tool. These include operations that have OpenSSO administration console equivalents. The ssoadm command line logs are located in the logging directory specified when running the setup script for the administration tools unzipped from ssoAdminTools.zip. The main logs are prefixed with ssoadm; other task-related log files are also have access and error suffixes.