The Logging service provides status and error messages related to Access Manager administration. An administrator can configures values such as log file size and log file location. Access Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:
This attribute accepts a value for the maximum size (in bytes) of a Access Manager log file. The default value is 1000000.
This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.
The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by Access Manager to the size of the files.
Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.
The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is:
If a non-default directory is specified, Access Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).
When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):
To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the amadmin script, otherwise amadmin logging can not load the JDBC driver.
Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.
Enables you to specify either File, for flat file logging, or DB for database logging.
If the Database User Name or Database User Password is invalid, it will seriously affect Access Manager processing. If Access manager or the console becomes unstable, you set the following property in AMConfig.properties:
After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the logstatus property to ACTIVE and restart the server.
This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.
This attribute accepts the database user password when the Logging Type attribute is set to DB.
Confirm the database password.
This attribute enables you to specify the driver used for the logging implementation class.
Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:
At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.
This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.
This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.
This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.
This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:
MD2, MD5 and RSA are one-way hashes.
For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.
This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.
This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.
This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.
This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the Access Manager logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.
This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.
When selected as ON, Access Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.