To set up trace logging, use the following process:
Before you can use trace logging, you must configure it by specifying a name, location, and parameters for the trace log file. These settings control the size and format of the file itself. After trace logging is configured, you determine the content of the trace log file separately. This lets you change the types of information contained in your trace log at any time, without changing the parameters of the trace log file itself.
Follow these steps:
Note: Setting the value of this parameter to yes in a local configuration file of a web server overrides any of the logging settings that are defined on the Policy Server. For example, suppose that the value of this parameter is set to yes in a LocalConfig.conf file. The agent creates log files even though the value of the AllowLocalConfig parameter in the corresponding agent configuration object is set to no. You can also set the related logging parameters in the LocalConfig.conf file also to override any other settings in the agent configuration object.
Specifies the full path to the trace log file.
Default: No default
Limits: Specify the file name in this parameter.
Example: web_agent_home\log\trace.log
Specifies the location of the WebAgentTrace.conf configuration file that determines which components and events to monitor.
Default: No default
Example: web_agent_home\config\WebAgentTrace.conf
Note: This file is not used until the web server is restarted.
Adds new logging information to the end of an existing log file instead of rewriting the entire file each time logging is invoked.
Default: No
Specifies how the trace file displays the messages. Choose one of the following options:
Default: default (square brackets)
Specifies a custom character that separates the fields in the trace file.
Default: No default
Example: |
Specifies (in megabytes) the maximum size of a trace file. The Web Agent creates a new file when this limit is reached.
Default: 0 (a new log file is not created)
Example: 20 (MB)
Specifies whether the logs use Greenwich Mean Time (GMT) or local time. To use GMT, change this setting to no. If this parameter does not exist, the default setting is used.
Default: Yes
Framework Agents do not support dynamic configuration of log parameters set locally in the Agent configuration file. Consequently, when you modify a parameter, the change does not take effect until you restart the web server. However, these log settings can be stored and updated dynamically if you configure them in an Agent configuration object on the Policy Server.
The CA SiteMinder® Agent can monitor specific CA SiteMinder® components. When you monitor a component, all of the events for that component are recorded in the trace log. Each component has one or more subcomponents that the agent can also monitor. If you do not want the agent to record all of the events for a component, you can specify only those subcomponents you want to monitor instead.
For example, if you want to record only the single sign-on messages for an agent on a web server, you would specify the WebAgent component and the SSO subcomponent.
The following components and subcomponents are available:
Records all Agent framework messages. (Applies only to framework agents.) The following subcomponents are available:
Records web Agent messages related to the 4.x Affiliate Agent, which is part of Federation Security Services, a separately-purchased product. (Applies only to framework agents.) The following subcomponent is available:
Web Agent messages related to the SAML Affiliate Agent. (Applies only to framework agents.) The following subcomponent is available:
Records all Web Agent log messages. Applies to all Agents except IIS 6.0 or Apache 2.0 Agents. The following subcomponents are available:
Records all Agent API messages. The following subcomponents are available:
Records messages related to internal processing of the Agent API. The following subcomponents are available:
You can define what each trace message for a specific component contains by specifying which data fields to include in the message.
Data fields use the following syntax:
data:data_field1,data_field2,data_field3
Some data fields are shown in the following example:
data:message,date,time,user,agentname,IPAddr
There may not be data for fields in each message, so blank fields my occur. For example, if you select RealmOID as a data field, some trace messages will display the realm's OID while others will not.
The following data fields are available:
Includes the actual trace message
Includes the source file and line number of the trace message
Includes the process ID
Includes the thread ID
Includes the date
Includes the time
Includes the time, including milliseconds
Includes the function in the code containing the trace message
Includes the name of the user
Includes the CA SiteMinder® domain
Includes the CA SiteMinder® realm
Includes the Agent name being used
Includes the transaction ID
Includes the CA SiteMinder® domain OID
Includes the client IP address
Includes the trace file displays the IP of the server where Agent is present
Includes the client IP port
Includes the certificate serial number
Includes the subject DN of the certificate
Includes the Issuer DN of the certificate
Includes the CA SiteMinder® session spec
Includes the CA SiteMinder® session ID
Includes the User DN
Includes the requested resource
Includes the requested action
Includes the realm OID
Includes the average response time in milliseconds of the Policy Servers associated with a CA Web Agent or SDK Agent and API application
Note: To output the ResponseTime to a trace log, include the component Agent_Con_Manager along with the data field ResponseTime in the WebAgentTrace.conf file or other file specified in the Policy Server Configuration Object (ACO) and restart the Policy Server. The Agent_Con_Manager component, or Agent API Connection Manager, calculates the ResponseTime each time a response is received from a Policy Server and keeps a running average. To locate the ResponseTime in the trace log, search for [PrintStats].
To focus on a specific problem, you can narrow the output of the trace log by specifying a filter based on the value of a data field. For example, if you are having problems with an index.html page, you can filter on resources with an html suffix by specifying Resource:==/html in the trace configuration file. Each filter should be on a separate line in the file.
Filters use the following syntax:
data_field:filter
The following types of filters are available:
The filters use boolean logic as shown in the following examples:
Action:!=get (all actions except get)
Resource:==/html (all resources ending in /html)
The WebAgentTrace.conf file determines the content of the trace log. You can control which components and data items appear in your trace log by modifying the settings of the WebAgentTrace.conf file on your web server. The following factors apply when editing the file:
When you specify a component, data field, or filter, the values must match exactly the options in the WebAgentTrace.conf file instructions.
Follow these steps:
Note: We recommend duplicating the original file and changing the copy. Modifying the copy preserves the default settings.
# For Apache 2.0, Apache 2.2, IIS 7.0 and SunOne Web Agents
#components:
components: AgentFramework, HTTPAgent
components: AgentFramework/Administration
#data:
data: Date, Time, Pid, Tid, TransactionID, Function, Message, IPAddr
data: Date, Time, Pid, Tid, TransactionID, Function, Message, IPAddr:==127.0.0.1
Note: Each filter must be on a separate line in the file.
The content of the trace log has been determined.
You can limit the number of trace logs that a CA SiteMinder® agent keeps. For example, if you want to save disk space on the system that stores your agent logs, you can limit the number of trace logs using the following parameter:
Specifies the number of CA SiteMinder® agent trace log files that are kept. New trace logs are created in the following situations:
Changing the value of this parameter does not automatically delete any existing trace logs which exceed the number that you want to keep. For example, If your system has 500 trace logs stored, and you decide to keep only 50 of those files, the agent does not delete the other 450 trace logs.
Setting the value of this parameter to zero retains all the trace logs.
Default: 0
Follow these steps:
To collect detailed information about the connections between a SiteMinder WSS Agent and Policy Server, you create a Trace Log file that contains information gathered by the Agent Collection Manager.
Follow these steps:
Note: Setting the value of this parameter to yes in a local configuration file of a web server overrides any of the logging settings defined on the Policy Server. For example, when the value of this parameter is set to yes in a LocalConfig.conf file log files are generated even if the value of the AllowLocalConfig parameter in the corresponding Agent Configuration object on the Policy Server is set to no. Additionally, set the related trace logging parameters (that define the file name, size, and so on) in the LocalConfig.conf file to override any Policy Server trace log settings.
agent_home/config/AgentConMgr.conf
Indicates the directory where the SiteMinder WSS Agent is installed on your web server.
Default (Windows 32-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent
Default (Windows 64-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent\win64
Default (Windows 32-bit SiteMinder WSS Agent installations operating on 64-bit systems: C:\Program Files (x86)\CA\Web Services Security\webagent\win32
Adds new logging information to the end of an existing log file instead of rewriting the entire file each time logging is invoked.
Default: No
Specifies a custom character that separates the fields in the trace file.
Default: No default
Example: |
Specifies (in megabytes) the maximum size of a trace file. The Web Agent creates a new file when this limit is reached.
Default: 0 (a new log file is not created)
Example: 20 (MB)
Specifies how the trace file displays the messages. Choose one of the following options:
Default: default (square brackets)
Specifies whether the logs use Greenwich Mean Time (GMT) or local time. To use GMT, change this setting to no. If this parameter does not exist, the default setting is used.
Default: Yes
Detailed information about the SiteMinder WSS Agent connections is collected.
Note: For CA SiteMinder® 12.52 SP1, the BusyHandleCount and FreeHandleCount attributes are not used.
In addition to Web Agent logging functionality, the SiteMinder WSS Agent provides an additional level of log information relating specifically to its processing of XML messages. SiteMinder WSS Agent logging is implemented using Apache’s log4j standard (see http://logging.apache.org).
Note: SiteMinder WSS Agent logging does not start until an XML message that needs to be processed is received.
By default, SiteMinder WSS Agent logging is enabled and written to the soasm_agent.log file in:
Indicates the directory where the SiteMinder WSS Agent is installed on your web server.
Default (Windows 32-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent
Default (Windows 64-bit SiteMinder WSS Agent installations: C:\Program Files\CA\Web Services Security\webagent\win64
Default (Windows 32-bit SiteMinder WSS Agent installations operating on 64-bit systems: C:\Program Files (x86)\CA\Web Services Security\webagent\win32
You can change logging parameters for your SiteMinder WSS Agent by editing the log.config file, which can be found in:
To disable SiteMinder WSS Agent XML message processing logging, remove or comment out (using a "#" prefix) the following lines from the log.config file located in the Agent config subdirectory:
log4j.appender.A2=org.apache.log4j.DailyRollingFileAppender log4j.appender.A2.File=${NETE_TXM_ROOT}/bin/soasm_agent.log
Copyright © 2014 CA.
All rights reserved.
|
|