9.7 Configuring Different Threshold Levels for Different Types of Data

When diagnosing a problem, you may not want detailed logs for every operation that a component performs.

For example, to diagnose slow response times for requests that an Identity Server submits to its directory, you would want detailed information on LDAP operations and fewer details about other types of operations.

As of release 10.1.4.2, you can configure per-module or per-function threshold levels in the log configuration file, so that Access Manager generates detailed logs for some components while generating concise logs, or no logs, for others.

You configure per-module logging thresholds in a MODULE_CONFIG section in the oblog_config_wg.xml file. The MODULE_CONFIG section overrides the global default that you specify on the LOG_THRESHOLD_LEVEL in the simple list section of this file.

The rest of this section discusses the following topics:

• About the MODULE_CONFIG Section

• Configuring a Log Level Threshold for a Function or Module

9.7.1 About the MODULE_CONFIG Section

In addition to the global threshold, the configuration file can contain a ValNameList that defines function- or module-specific log thresholds. The name of this list is always MODULE_CONFIG.

As described in "Structure and Parameters of the WebGate Log Configuration File", in the log configuration file you configure a global logging threshold. The following is an example of the global LOG_THRESHOLD_LEVEL setting:

   <SimpleList> 
      <NameValPair ParamName="LOG_THRESHOLD_LEVEL" Value="LOGLEVEL_WARNING" /> 
      . . . 
   </SimpleList>

Only one instance of MODULE_CONFIG is permitted in the log configuration file, and the information in the list applies to all log writers defined in the file. As of release 10.1.4.2, the default log configuration file contains a commented sample of the MODULE_CONFIG list.

Each item in the MODULE_CONFIG list sets a logging level for a module, as shown in the following example:

<ValNameList xmlns="http://www.oblix.com" ListName="MODULE_CONFIG">
    <NameValPair ParamName="LDAP" Value="LOGLEVEL_TRACE"></NameValPair>    <NameValPair ParamName="DB_RUNTIME" Value="LOGLEVEL_TRACE"></NameValPair></ValNameList>

The elements in this section are as follows:

• The ValNameList tag delimits the list of per-module logging thresholds.

• One NameValPair tag delimits each specific per-module logging threshold.

• The ParamName parameter sets the name of a module or function.

  See Table 9-8 for a list of valid values.

• The Value parameter sets the logging threshold for the module that you specify as a value for the ParamName parameter.

  Table 9-1 lists the permissible values for the Value parameter. In addition to these values, you can specify the value ON to enable logging for the module and a value of OFF to disable logging for the specific module.

The following sections contain more information.

• Location of the Per-Module Logging Section in the Log Configuration File

• List of Modules That Can Be Logged

9.7.1.1 Location of the Per-Module Logging Section in the Log Configuration File

You add the per-module logging threshold section near the end of the log configuration file, after the closing tag for the compound list for the log-handlers and before the closing tag for the first compound list in the file.

This section contains an example of the per-module logging section. See "Configuring a Log Level Threshold for a Function or Module" for details.

9.7.1.2 List of Modules That Can Be Logged

You can specify values for the ParamName parameter in the MODULE_CONFIG list.

Table 9-8 describes the a partial list of values that can be logged.

Table 9-8 ParamName Values You Can Configure for Per-Module Logging Threshold

ParamName Value	Logging Threshold That This Parameter Sets
AAA_ACTIONS	Sets a logging threshold for triggered actions that are configured as part of a policy in the OAM Server. <ValNameList xmlns="http://www.oblix.com" ListName="MODULE_CONFIG"> <NameValPair Paramname="AAA_ACTIONS" Value="OFF"> </NameValPair>
AAA_AMENGINE	Sets a logging threshold for activity performed by the Access Manager engine.
AAA_ISRESRCOPPROT	Sets a logging threshold for all OAM Server activities related to determining if a resource operation is protected.
ACCESS_CLIENT	Sets a logging threshold for operations performed by an access client, that is, an Access Client or Webgate.
ACCESS_GATE	Sets a logging threshold for operations performed by an Access Client.
ACCESS_SDK	Sets a logging threshold for operations performed by the Access Manager SDK interface. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.
ACCESS_SERVER	Sets a logging threshold for operations performed in the OAM Server.
AM_SDK	Sets a logging threshold for the Access Manager SDK. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.
AUDIT	Sets a logging threshold for auditing. See Auditing Administrative and Run-time Events for details.
AUTHENTICATION	Sets a logging threshold for user authentication operations.
AUTHN_MGMT	Sets a logging threshold for authentication scheme management.
AUTHN_PLUGIN	Sets a logging threshold for operations performed by an authentication plug-in.
AUTHORIZATION	Sets a logging threshold for user authorization operations.
AUTHZ_MGMT	Sets a logging threshold for authorization scheme management.
AUTHZ_PLUGIN	Sets a logging threshold for authorization plug-in operations.
CACHE	Sets a logging threshold for cache management and operations on the caches.
CONN_MGMT	Sets a logging threshold for connection management.
CONN_RUNTIME	Sets a logging threshold for connection run time.
CONNECTIVITY	Sets a logging threshold for client-sever connectivity and messaging.
DB_CONFIGURATION	Sets a logging threshold for the data store interface layer configuration.
DB_RUNTIME	Sets a logging threshold for the data store interface layer run time.
DIAGNOSTIC_FRAMEWORK	Sets a logging threshold for the diagnostic framework.
GROUPDB	Sets the threshold for logging accesses of Group Manager data in the directory.
GROUP_MGR	Sets the threshold for logging Group Manager operations.
HTTP_REQ	Sets the threshold for logging HTTP request processing.
IDXML	Sets the threshold for logging IDXML operations. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.
LDAP	Sets a logging threshold for LDAP SDK, for example: <ValNameList xmlns="http://www.oblix.com" ListName="MODULE_CONFIG"> <NameValPair Paramname="LDAP" Value="LOGLEVEL_TRACE"> </NameValPair>
NET	Sets a logging threshold for network APIs.
OBMYGROUPS	Sets a logging threshold for ObMyGroups processing. This refers to searches of groups where the person who initiated the search is a member.
OIS_CLIENT	Sets a logging threshold for the Identity client.
POLICY_MGMT	Sets a logging threshold for policy and policy domain management.
PPP	Sets a logging threshold for Identity Event Plug-in API operations. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.
QUERY_BUILDER	Sets a logging threshold for Query Builder operations.
SECURITY	Sets a logging threshold for the security and encryption library.
SELECTOR	Sets a logging threshold for Selector operations.
SERVER	Sets a logging threshold for server infrastructure.
SSOTOKEN	Single sign-on token management.
UTILS	Sets a logging threshold for utility classes.
WEB	Sets a logging threshold for the Web server plug-in interface.
XML	Sets a logging threshold for the XML Infrastructure.

9.7.2 Configuring a Log Level Threshold for a Function or Module

You can configure a function- or module-specific log level threshold.

To configure:

1. Open the log configuration file in the following location:

   Webgate_install_dir\identity|access\oblix\config

2. If a ValNameList section with a ListName of MODULE_CONFIG does not already exist in this file, create one that is similar to the following:

   <ValNameList xmlns="http://www.oblix.com" ListName="MODULE_CONFIG">
   </ValNameList>
   

   Place this list after the end tag for the compound list that contains the log handler definitions. If there are comments immediately after this end tag, place the list after the comments.

3. Between the opening and closing tags of the new ValNameList element, configure one or more NameValPair elements.

   This element contains a ParamName parameter and a Value parameter. See Table 9-8 for the modules that you can supply on the ParamName parameter. See Table 9-1 for values, or you can specify a value of On or Off. The following is an example:

   <NameValPair ParamName="LDAP" Value="LOGLEVEL_TRACE"></NameValPair>
   

   You can specify multiple ValNamePair elements within the ValNameList.

   A complete per-module logging threshold section is illustrated in bold in the following example:

   <!--  ============================================================   --><!--  Configure the Log Level                                        -->
   . . .
   <CompoundList xmlns="http://www.oblix.com" ListName="LOG_CONFIG">
    
   <!-- Write all FATAL logs to the system logger. -->
   <ValNameList xmlns="http://www.oblix.com" ListName="LogFatal2Sys">
        <NameValPair ParamName="LOG_LEVEL" Value="LOGLEVEL_FATAL">
        </NameValPair>
        <NameValPair ParamName="LOG_WRITER" Value="SysLogWriter">
        </NameValPair>
        <NameValPair ParamName="LOG_STATUS" Value="On">
        </NameValPair>
   </ValNameList>
   . . .
   </CompoundList>
   <!--  List of values that can be specified in the module config      -->
   <!--                                                                 -->
   <!--  On - Uses loglevel set in the loglevel threshold               -->
   <!--  Off - No information is logged                                 -->
   <!--  LOGLEVEL_FATAL - serious error, possibly a program halt.       -->
   <!--  LOGLEVEL_ERROR - a transient or self-correcting problem.       -->
   <!--  LOGLEVEL_WARNING - a problem that does not cause an error.     -->
   <!--  LOGLEVEL_INFO - reports the current state of the component.    -->
   <!--  LOGLEVEL_DEBUG1 - basic debugging information.                 -->
   <!--  LOGLEVEL_DEBUG2 - advanced debugging information.              -->
   <!--  LOGLEVEL_DEBUG3 - logs performance-sensitive code.             -->
   <!--  LOGLEVEL_TRACE - used when you need to trace the code path     -->
   <!--  execution or capture metrics. Includes all previous levels.    -->
   <!--                                                                 -->
   <!--  List of modules that can be specified in the module config     -->
   <!--                                                                 -->
   <!--  ALL_MODULES - Applies to all log modules                       -->
   <!--  Specific module name - Applies to specific module              -->
   <!--                                                                 -->
   <!--                                                                 -->
   <!--    <ValNameList                                                 -->
   <!--        xmlns="http://www.oblix.com"                             -->
   <!--        ListName="MODULE_CONFIG">                                -->
   <!--        <NameValPair                                             -->
   <!--            ParamName="CONNECTIVITY"                             -->
   <!--            Value="LOGLEVEL_TRACE"></NameValPair>                -->
   <!--    </ValNameList>                                               -->
    
       <ValNameList xmlns="http://www.oblix.com" ListName="MODULE_CONFIG">
           <NameValPair ParamName="LDAP" Value="LOGLEVEL_TRACE"></NameValPair>
           <NameValPair ParamName="DB_RUNTIME" Value="LOGLEVEL_TRACE">
           </NameValPair>
       </ValNameList>
    
   </CompoundList>