Sun Java System Access Manager 7 2005Q4 Technical Overview

Error and Access Logs

Two types of Access Manager log files exist: access log files and error log files.

Access log files record general auditing information concerning the Access Manager deployment. A log may contain a single record for an event such as a successful authentication. A log may contain multiple records for the same event. For example, when an administrator uses the console to change an attribute value, the Logging Service logs the attempt to change in one record. Logging Service also logs the results of the execution of the change in a second record.

Error log files record errors that occur within the application. While an operation error is recorded in the error log, the operation attempt is recorded in the access log file.

Flat log files are appended with the .error or .access extension. Database column names end with _ERROR or _ACCESS. For example, a flat file logging console events is named amConsole.access while a database column logging the same events is named AMCONSOLE_ACCESS or amConsole_access.

For detailed reference information about events recorded in each type of Access Manager, log see the Sun Java System Access Manager 7 2005Q4 Administration Guide. The following table provides a brief description of the log file produced by each Access Manager component.

Table 6–4 Access Manager Component Logs


Log Filename Prefix  

Information Logged  



Session management attributes values such as login time, logout time, timeout limits. 

Administration Console 


User actions performed through the administration console such as creation, deletion and modification of identity-related objects, realms, and policies. 



User logins and logouts. 

Identity Federation 


Federation-related events such as the creation of an Authentication Domain and the creation of a Hosted Provider. The federation logs are prefixed with amFederation.

Authorization (Policy) 


Policy-related events such as policy creation, deletion, or modification, and policy evaluation. 

Policy Agent 


Exceptions regarding resources that were either accessed by a user or denied access to a user. amAgent logs reside on the server where the policy agent is installed. Agent events are logged on the Access Manager machine in the Authentication logs.



SAML-related events such as assertion and artifact creation or removal, response and request details, and SOAP errors. 



Event errors that occur during operations using the command line tools. Examples are: loading a service schema, creating policy, and deleting users.