Policy Server Guides › Policy Server Administration Guide › Configuring Policy Server Logging › How to Enable Assertion Attribute Logging on Windows Operating Environments

How to Enable Assertion Attribute Logging on Windows Operating Environments

You can record information about the assertion attributes to the audit logs. Use these logs for a security audit, or during an investigation. The type of event determines the information that is recorded in the log. The following events are recorded when you enable assertion‑attribute logging:

• Any assertion generations
• Any assertion consumptions
• Any authentication success
• Any authentication failures
• Any authentication attempts
• Any application access

The logging of assertion attributes is disabled by default. Enable assertion‑attribute logging on your Policy Server.

The following graphic describes how to enable assertion attribute logging:

Follow these steps:

1. Open the Windows registry editor.
2. Change the value of the registry key.
3. Restart your Policy Server with the following steps:
   1. Stop your Policy Server.
   2. Start your Policy Server.

Open the Windows Registry Editor

Change this setting by opening the Windows registry editor on the system hosting your Policy Server.

Follow these steps:

1. Click Start, Run.
2. Type the following text in the Open: Field.

   regedit
   

3. Click OK.

   The Windows registry editor opens.

Change the Value of the Registry Key

The following registry key controls attribute assertion logging:

Enable Enhance Tracing

Indicates whether attribute assertions are recorded in the audit logs. A value of 2 enables logging. A value of 3 enables logging and records the authentication method of the user. A value of 4 enables logging for Enhanced Session Assurance with DeviceDNA™

Limits: 0, 2, 3, 4

Default: 0 (logging disabled)

Follow these steps:

1. In the registry editor, expand the following item:

   HKEY_LOCAL_MACHINE
   

2. Click Software, Netegrity, SiteMinder, Currentversion, Reports.
3. Locate the following registry key:

   Enable Enhance Tracing
   

4. Right-click the key, and then pick Modify.
5. Do one of the following tasks:
   • To enable the logging of assertion attributes, change the value to 2.
   • To enable the logging of the assertion attributes and the authentication method used, change the value to 3.
   • To enable the logging for Enhanced Session Assurance with DeviceDNA™, change the value to 4.
   • To disable the logging of assertion attributes, change the value to 0.
6. Click OK.
7. Close the registry editor.

   The value of the Enable Enhance Tracing registry key is changed.

Stop a Windows Policy Server

Stop your Policy Server before continuing. Stopping a Policy Server has the following results:

• The Policy Server is temporarily removed from your environment.
• Agents who need authorization or authentication decisions cannot contact the stopped Policy Server. Those Agents can still connect to other Policy Servers that are available.
• All logging activity stops.

Follow these steps:

1. Log in to the Policy Server host system.

   Note: Use an account with administrator privileges.

2. Click Start, Programs, SiteMinder, SiteMinder Policy Server Management Console.
3. Click the Stop button.
4. Click OK.

   The Policy Server stops and the console closes.

Start a Windows Policy Server

Start the Policy Server. Starting Policy Server has the following results:

• Agents contact the Policy Server for authorization or authentication decisions.
• Logging begins.

Follow these steps:

1. Click Start, Programs, SiteMinder, SiteMinder Policy Server Management Console.

   The console opens with the Status tab selected.

2. Click the Start buttons.
3. Click OK.

   The Policy Server starts.