test

Sun Java System Access Manager 7 2005Q4 Technical Overview

How the Logging Feature Works

The Logging Service enables Access Manager services to record information such as access denials, access approvals, authentication events, and authorization violations. Administrators can use the logs to track user actions, analyze traffic patterns, and review authorization violations. The logged information from all Access Manager services are recorded in one centralized location. The default location for all Access Manager log files is /var/opt/SUNWam/logs.

Logging Architecture

When Access Manager starts up or when any logging configuration data is changed through the console, logging configuration data is loaded into the Logging component. This data includes the log message format, log file name, maximum log size, and the number of history files. Applications can use the Client APIs to access the Logging features from a local or remote server. The Client APIs use an XML-over-HTTP layer to send logging requests to the Logging component on the server where Access Manager is installed.

amLogging.xml

The Logging service stores the attributes and values for the logging function. A global service configuration file named amLogging.xml defines the Logging attributes. Examples of Logging Service attributes are maximum log size, log location, and log format (flat file or relational database). The attribute values are applied across the Access Manager deployment and inherited by every configured realm. By default, amLogging.xml is located in the directory /etc/opt/SUNWam/config/xml. The structure of amLogging.xml is defined by file sms.dtd.

Log File Formats

Access Manager can record events in flat text files or in a relational database.

Flat File Format

The default flat file format is the W3C Extended Log Format (ELF). Access Manager uses this format to record the default fields in each log record. See Recorded Events for a list of default fields and their descriptions. The following code example illustrates an authentication log record formatted for a flat file.

Example 6–1 Flat File Record From amAuthentication.access


"2005-08-01 16:20:28"   "Login Success" LDAP    AUTHENTICATION-100 
   dc=example,dc=com       e7aac4e717dda1bd01      INFO 
uid=amAdmin,ou=People,dc=example,dc=com 192.18.187.152 
"cn=exampleuser,ou=Example Users,dc=example,dc=com" exampleHost

In the example, the fields are in this order: Time, Data, ModuleName, MessageID, Domain, ContextID, LogLevel, LoginID, IPAddr, LoggedBy, and HostName.

Relational Database Format

When Access Manager uses a relational database to log messages, the messages are stored in a database table. Access Manager uses Java Database Connectivity (JDBC) to access the database table. JDBC provides connectivity to a wide range of SQL databases. JDBC also provides access to other tabular data sources such as spreadsheets or flat files. Oracle® and MySQL databases are currently supported.

For log records generated by Access Manager 7.0, the Data and MessageID fields are used slightly differently than in previous Access manager versions. Starting with Access Manager 7.0, the MessageID field is introduced as a kind of template for types of log messages. For example, in previous versions, Access Manager would generate the following message in the Data field:

Data: "Created group
cn=agroupSubscription1,ou=Groups,dc=iplanet,dc=com"

In Access Manager 7.0, two log records are recorded for the one event:

Data:	 agroupSubscription1|group|/
MessageID:	CONSOLE-1

and

Data:	agroupSubscription1|group|/
MessageID:	CONSOLE-2

The log records reflect the use of identities and realms, new in Access Manager 7.0. In this example, CONSOLE-1 indicates an attempt to create an identity, and CONSOLE-2 indicates the attempt to create an identity was successful. The root organization notation (dc=iplanet,dc=com) is replaced with a forward slash (/). The variable parts of the messages (agroupSubscription1, group, and /) are separated by a pipe character (|), and continue to go into the Data field of each log record. The MessagID string is not internationalized in order to facilitate machine-readable analysis of the log records in any locale.

The following table summarizes the schema for a relational database.

Table 6–1 Relational Database Log Format

Column Name  

Data Type  

Description  

 
TIME

VARCHAR(30) 

Date of the log in the format YYYY-MM-DD HH:MM:SS.

 
DATA

VARCHAR(1024) 

The variable data part of the log record pertaining to the MESSAGE ID. For MySQL, the Data Type is VARCHAR(255).  

 
MODULENAME

VARCHAR(255) 

Name of the Access Manager component invoking the log record. 

 
DOMAIN

VARCHAR(255) 

Access Manager domain of the user. 

 
LOGLEVEL

VARCHAR(255) 

JDK 1.4 log level of the log record. 

 
LOGINID

VARCHAR(255) 

Login ID of the user who performed the logged operation. 

 
IPADDR

VARCHAR(255) 

IP Address of the machine from which the logged operation was performed. 

 
LOGGEDBY

VARCHAR(255) 

Login ID of the user who writes the log record. 

 
HOSTNAME

VARCHAR(255) 

Host name of machine from which the logged operation was performed. 

 
MESSAGE ID

VARCHAR(255) 

Non-internationalized message identifier for this log record's message. 

 
CONTEXT ID

VARCHAR(255) 

Identifier associated with a particular login session. 

Log Files Directory

The log files record a number of events for each of the Access Manager components using the Logging Service. Administrators typically review these log files on a regular basis. The default location for all Access Manager log files is /var/opt/SUNWam/logs. The following table describes the files in the log files directory.

The period (.) separator in a log filename is converted to an underscore (_) in database formats. Also in databases, table names may be converted to all upper case. For example, amConsole.access may be converted to AMCONSOLE_ACCESS, or it may be converted to amConsole_access.

Table 6–2 Files in the Log Files Directory

File or Table  

Information Logged  

amAuthLog

Policy denies 

amPolicy.access

Policy allows 

amPolicy.error

Policy error events 

amConsole.access

Successful console events 

amConsole.error

Console error events 

amAuthentication.access

Authentication successes 

amAuthentication.error

authentication failures 

amPasswordReset.access

Password reset events 

amSSO.access

SSO creates/destroys 

amSAML.access

SAML successful events 

amSAML.error

SAML error events 

amLiberty.access

Liberty successful events 

amLiberty.error

Liberty error events 

amFederation.access

Federation successful events 

amFederation.error

Federation error events 

amAdmin.access

amadmin CLI successful events 

amAdmin.error

amadmin CLI error events 

Recorded Events

The client passes the Logging Service logs information to the com.sun.identity.log.LogRecord class. The following table summarizes the items logged by default in the LogRecord.

Table 6–3 Events Recorded in LogRecord

Event  

Description  

Time 

The date (YYYY-MM-DD) and time (HH:MM:SS) at which the log message was recorded. This field is not configurable.

Data 

Variable data pertaining to the log records's MESSAGE ID. This field is not configurable.

Module Name 

Name of the Access Manager service or application being logged. Additional information on the value of this field can be found in “Adding Log Data” on page 88. 

Domain 

Access Manager domain to which the user belongs. 

Log Level 

The Java 2 Platform, Standard Edition (J2SE) version 1.4 log level of the log record. 

Login ID 

ID of the user as the subject of the log record. The user ID is taken from the session token. 

IP Address 

IP address from which the operation was performed. 

Logged By 

User who writes the log record. The information is taken from the session token passed during logger.log(logRecord, ssoToken).

Host Name 

Host name associated with the IP Address above. 

MessageID 

Non—internationalized message identifier for this log record's message. 

ContextID 

Identifier associated with a particular login session.