Logging

The Logging service provides status and error messages related to Access Manager administration. An administrator can configures values such as log file size and log file location. Access Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:

• Maximum Log Size

• Number of History Files

• Log File Location

• Logging Type

• Database User Name

• Database User Password

• Database User Password (confirm)

• Database Driver Name

• Configurable Log Fields

• Log Verification Frequency

• Log Signature Time

• Secure Logging

• Maximum Number of Records

• Number of Files per Archive

• Buffer Size

• DB Failure Memory Buffer Size

• Buffer Time

• Time Buffering

Maximum Log Size

This attribute accepts a value for the maximum size (in bytes) of a Access Manager log file. The default value is 1000000.

Number of History Files

This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by Access Manager to the size of the files.

Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.

Log File Location

The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is:

/var/opt/SUNWam/logs

If a non-default directory is specified, Access Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).

When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):

jdbc:oracle:thin:@machine.domain:port:DBName

To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the amadmin script, otherwise amadmin logging can not load the JDBC driver.

Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.

Logging Type

Enables you to specify either File, for flat file logging, or DB for database logging.

If the Database User Name or Database User Password is invalid, it will seriously affect Access Manager processing. If Access manager or the console becomes unstable, you set the following property in AMConfig.properties:

com.iplanet.am.logstatus=INACTIVE

After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the logstatus property to ACTIVE and restart the server.

Database User Name

This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.

Database User Password

This attribute accepts the database user password when the Logging Type attribute is set to DB.

Database User Password (confirm)

Confirm the database password.

Database Driver Name

This attribute enables you to specify the driver used for the logging implementation class.

Configurable Log Fields

Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:

• CONTEXTID

• DOMAIN

• HOSTNAME

• IPADDRESS

• LOGGED BY

• LOGLEVEL

• LOGINID

• MESSAGEID

• MODULENAME

At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.

Log Verification Frequency

This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.

Log Signature Time

This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.

Secure Logging

This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.

Secure Logging Signing Algorithm

This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:

• MD2 w/RSA

• MD5 w/RSA

• SHA1 w/DSA

• SHA1 w/RSA

MD2, MD5 and RSA are one-way hashes.

For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.

Maximum Number of Records

This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.

Number of Files per Archive

This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.

Buffer Size

This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.

DB Failure Memory Buffer Size

This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the Access Manager logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.

Buffer Time

This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.

Time Buffering

When selected as ON, Access Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.