Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Debug Logging

Most of the Identity Synchronization for Windows components have debug logging capability. This section describes how to enable debug logging for each component.

Note –

Using debug logging to isolate a problem can be a time-consuming process. Be sure to read ChapterChapter 12, Troubleshooting, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide before using this method.

Debug Logging in Java Components

To enable debug logging in one of the Java components (connector, System Manager, or Central Logger), edit the process's command line in the file to include the flag, and restart the Identity Synchronization for Windows daemon (on Solaris) or service (on Windows). For example, debug logging for the CNN101 Connector has been enabled in the following example. The existing entry for the CNN101 Connector in the /var/opt/SUNWisw/resources/ file is shown here.[2]=CNN101
process.command[2]=/usr/java/bin/java  -Xmx256m  -Xrs  -DimqConnectionType=TLS  
-DPSWHOME=/var/opt/SUNWisw  -DWPSCNFG=resources   
-classpath /opt/SUNWisw/lib/common.jar:/opt/SUNWisw/lib/connector.jar:

AgentHarness CNN101


Note –

The idsync printstat command provides information about the Connector ID and the installation location, which can be used to find the correct entry in the list.

In the following example, the command-line entry for this connector has been edited to include the special debug option. It is safest to include this option as the first option for the Virtual Machine for the Java Platform (JVMTM tool interface).[2]=CNN101
-Xmx256m  -Xrs   -DimqConnectionType=TLS  
-DPSWHOME=/var/opt/SUNWisw  -DWPSCNFG=resources   
-classpath /opt/SUNWisw/lib/common.jar:/opt/SUNWisw/lib/connector.jar:
/usr/sfw/share/lib/xerces-200.jar:. CNN101

After enabling this option, stop and start the Identity Synchronization for Windows daemon (on Solaris) or service (on Windows) so that the changes take effect.

To prevent conflicts with Message Queue, wait 30 seconds after stopping the Identity Synchronization for Windows daemon or service before restarting it. When the process starts, it will write three new logs, logs/CNN101/debug.log, logs/CNN101/debugErrors.log, and ogs/CNN101/resyncDebug.log.

Enabling debug logging has an impact on performance and security. Debug logging can generate trace-level information that consumes more disk space than audit logs, requiring additional processor cycles that can reduce throughput. Although no sensitive information is ever written to the audit log, the debug log might include sensitive information such as passwords.

Unlike audit logging, the amount of information in the debug log is not controlled by the global log level in the console. Instead, debug logging is controlled by the file located in the resources/ directory. The primary settings that can be changed in this file are the log levels. The log levels for debug logging behave identically to the settings for the audit logs but give more fine-grained control.

The = FINE line in sets the default log level to FINE, but individual components change the log level to increase or decrease the default amount of logging. In general, the defaults provided in this file will produce an adequate amount of debug logging without populating the log with unnecessary information.

The following table summarizes the component-level debug log levels. In the Component column, is implied:

Table C–1 Component-Level Debug Log Levels


Type of Logging Level


Interaction with directory sources for detecting and applying changes, which is useful when problems accessing a directory source need to be diagnosed. 



Communication between the connector and the subcomponents. 

FINE (if not specified, inherits from accessor.level)


Processing that occurs within the controller, including determining membership in an SUL and interaction with the object cache. 



Processing that occurs within the agent, including mapping attributes, sending messages over Message Queue, and receiving messages from Message Queue. 



Processing that occurs within the agent on actions that are received from Message Queue. 



Encryption and decryption routines.



Interaction with Message Queue. 



Processing done by the System Manager.

INFO (increasing to FINE+ can significantly slow performance during resynchronization operations)


Processing done by the Central Logger.

<default\> (can only be set in


Processing done by the configuration system that retrieves, manages, validates, and saves configuration in the configuration directory. 



Processing done by common utility components. 



Low-level execution information for each thread in the system. 

INFO (increasing to FINE+ can significantly slow performance)


Low-level parsing details for XML configuration objects. 

INFO (increasing to FINE+ can significantly slow performance)

These log levels can be changed by editing the files. The changes will be reflected after a restart.

Note –

All messages that appear in the audit log file also appear in the debug log file to facilitate correlation of events between the logs.

Debug Logging in the Installer

The installer and uninstaller can be configured to write extra debugging information to the installer log file, for example, Identity_Synchronization_for_Windows_install-20041025035143.log, by setting the ISW_DEBUG_INSTALL environment variable to true before starting the installer.

Note –

Secure information such as passwords might appear in the installer log file when debug logging is enabled.

Debug Logging in the Console

The console logs some information to the central log, but most information is only logged if the console is started with the -D option to enable debug logging. The -D option accepts a single argument that controls the amount of logging to generate. The argument varies from 1 (least) to 9 (most). By default, the logging information is only written to stderr, but it can also be redirected to a file using the -f option, for example:

bash-2.05# ./startconsole -D 7 -f /tmp/console.log