When writing log records, the Logging Service verifies that the logging requester has the proper authority to log and then writes the information to the configured location, formatting and completing the columns in the log records.
An application makes logging calls using the getLogger() method, which returns a Logger object. Each Logger keeps track of a log level and discards log requests that are below this level. (There is one Logger object per log file.) The applications allocates a LogRecord, which is written to the log file using the log() method. An SSOToken, representing the user's session data, is passed to the LogRecord constructor and used to populate the appropriate fields to be logged.
OpenSSO Enterprise contains plug-ins to write log records to:
The host's flat file system
The host's flat file system with added signing of the LogRecord and periodic verification
A relational database
A remote instance of OpenSSO Enterprise
The Logging Service requires two session tokens:
Creating the LogRecord requires an SSOToken for the subject about whom the LogRecord is being written.
Writing the LogRecord requires an SSOToken for the entity requesting the logging of the record.
If your application also invokes utilities that log without using the OpenSSO Logging Service API, then you might also need to include the following:
import com.sun.identity.log.Logger; Logger.token.set(ssoToken);
where ssoToken is the SSOToken of the entity requesting the logging. Also, once done, the following statement should be executed:
Logger.token.set(null); to clear the entity's SSOToken from the Logging Service.
The following parameters can have values logged when the addLogInfo() method is invoked. All columns except for time, Data, and NameID can be selected for exclusion from the record written to the log file.
The date and time is retrieved from OpenSSO Enterprise and added by the Logging Service.
The event being logged as defined in the message string specified in the LogRecord() constructor call.
The value specified for the LogConstants.MODULE_NAME property in the addLogInfo() call. For example, the RADIUS module might be specified in an authentication attempt.
If no value is specified, this field will be logged as Not Available.
The value specified for the LogConstants.MESSAGE_ID property in an addLogInfo() call.
If no value is specified, this field will be logged as Not Available.
The value for this field is extracted from the SSOToken and corresponds to either the subject userID's domain, or organization.
The value for this field is extracted from the SSOToken and corresponds to the subject userID's session context.
The logging level, passed to the LogRecord() constructor, at which this record is being logged.
The value for this field is extracted from the SSOToken and corresponds to the subject userID's Principal name.
The value specified for the LogConstants.NAME_ID property in an addLogInfo() call. It is an alias that maps to the actual userID.
If no value is specified, this field will be logged as Not Available.
The value for this field is extracted from the SSOToken and corresponds to the originating point of the action being logged.
The identifier in this field is extracted from the logging requestor's SSOToken specified in the Logger.log() call.
The host name corresponding to the originating point of the action being logged is derived from the IPAddr in the user's SSOToken, if it can be resolved.
Resolving host names is disabled by default; enable this feature by toggling the Log Record Resolve Host Name system configuration attribute under Logging Service. If disabled, the HostName value is taken from the user's SSOToken and the IPAddr value is logged as Not Available.