The server trace log (smtracedefault.log file) follows federation server runtime activities. The default location for this trace log is in the directory federation_install_dir\logs\server.
Note: If you enable tracing, large log files can result.
Two tasks are required to set up server-side trace logging:
Set up the log configuration file. A log configuration file defines which components are monitored and therefore, what is written to the smtracedefault.log file. You can use one of the following files for federation:
For efficiency, use one of the templates. Enter the name of a template in the LogTraceConfig parameter, which you access with the XPSConfig command and by selecting the SM option.
Note: The preconfigured templates are in federation_install_dir\siteminder\config\profiler_templates.
In place of the templates, you can use the default file and manually add all federation components in this file.
Follow these steps:
components: Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, JavaAPI, Fed_Server/Assertion_Generator, Fed_Server/Auth_Scheme, Fed_Server/Configuration data: Date, Time, Tid, TransactionID, SrcFile, Function, Domain, Resource, Action, User, SessionID, Data, AuthReason, Message
Use the XPSConfig tool, included with the product, to enable tracing for server-side runtime activities. XPSConfig is an interactive command-line utility that allows you to view product parameters and edit their settings.
Follow these steps:
Type the command as it is shown here. The command is case-sensitive.
The Products Menu displays.
The Parameters Menu displays. A number is associated with each parameter that you can modify.
Enables tracing. The default for tracing is to be off, which is indicated by a space between two quotation marks (" "). Do not leave the setting blank.
This value points to the tracing configuration file. There is no default value. Enter federation_install_dir\siteminder\config\template_name. The default template is smtracedefault.txt. There are other trace templates specifically for federation.
Examples:
federation_install_dir\siteminder\config\samlidp_trace.template
federation_install_dir\siteminder\config\samlsp_trace.template
Indicates whether messages are displayed in a console window. The default is not to log to the console.
Determines how information is displayed in the log. The default is sm. Works with the LogTraceDelimiter setting to specify which character acts as a delimiter.
Specifies the trace mode. The default is 0.
Identifies a character to serve as a delimiter in the log output file. There is no default value.
Specifies the location of the log output file. The default is federation_install_dir\logs\server.
Note: Any changes to the log rollover settings apply to the smtracedefault.log file and the smps.log file.
The rollover parameters are as follows:
Represents the number of Policy Server error logs to keep. Older files are deleted older files.
Indicates if a rollover occurs on a daily basis. Enter the number that corresponds to the number of days that pass before a rollover occurs.
Indicates if a rollover occurs on an hourly basis. If this value is set, LogRolloverDays is ignored.
Indicates whether the log file is rolled over when the services are started.
Indicates at what size the log files is rolled over. If the system reaches the size limit before the next rollover interval, the log file still rolls over.
Indicates what time of day to perform the rollover. The system uses this setting with the LogRolloverDays parameter. Enter a value in the form "hour:minutes" using a 24 hour clock.
Example: "22:00"
Changes made in XPSConfig are not recognized until you exit the XPSConfig tool. Where noted, some changes require that you restart the system services.
The server.log file is useful for examining the Administrative UI operation of the product. This log also contains messages about the embedded SPS server. This log file resides in the directory federation_install_home/logs/ui.
The logger.properties file and the log4j.properties file contain the log settings that determine what is recorded in the server.log file. The settings are groups of name/value pairs or directives that the system reads at run time.
Logger.properties file
The logger.properties file resides in the directory federation_install_dir/secure-proxy/Tomcat/properties. The file contents are grouped into the following sections:
The directives contained in this file follow the format name=value. Any lines beginning with the # symbol are comments, and are not read when the system loads configuration settings.
Note: Pathnames on Windows systems use double backslashes (\\).
Log4j.properties
The lo4j.properties file resides in the directory federation_install_dir/secure-proxy/Tomcat/webapps/fedui/WEB-INF/classes. This file determines the log level recorded for Administrative UI operation.
The procedure for modifying the log files is the same. You can modify the files without restarting the system.
Follow these steps:
The log settings are changed.
Server.conf Settings
The Server.conf settings in the logger.properties file enable and disable logging, sets logging level, and sets the output format of the log messages. The entry that you can modify in this section must be in the following format:
log4j.rootCategory=<log_level>,<output_format>
log_level
Specifies the log level of a message. The following values are listed in an increasing order of priority:
OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL
To disable logging, set the log level to OFF. If the value is set to any other value, logging is enabled.
Default: INFO
output_format
Specifies whether a log message is displayed in a console, or in a file, or both.
Default: SvrFileAppender
Example: To set the log level to INFO and display a log message in a console and in a file, use the following entry:
log4j.rootCategory=INFO,SvrConsoleAppender,SvrFileAppender
SvrConsoleAppender Settings
The SvrConsoleAppender Settings section controls logging events to a console. The entry that you can modify in this section is:
log4j.appender.SvrConsoleAppender.layout.ConversionPattern=<log_message_format>
log_message_format
Specifies the format of a log message output to the console. The product supports all the log4j date pattern strings.
Default Value: [%d{dd/MMM/yyyy:HH:mm:ss-SSS}] [%p] - %m%n
SvrFileAppender Settings
The SvrFileAppender Settings section controls logging events to a file. This section defines the log rollover frequency and the format of the log messages that are written to the file. The entries that you can modify in this section are:
log4j.appender.SvrFileAppender.File=<log_file_path> log4j.appender.SvrFileAppender.Append=true log4j.appender.SvrFileAppender.layout.ConversionPattern=<log_message_format>
log_file_path
Specifies the name and path of the log file.
Default Name: server.log
Default Path: install_dir_home/secure-proxy/proxy-engine/logs/ui/server.log
true|false
Directs the system whether to append log messages to an existing file. If this value is set to true, the system appends new log messages to the existing log file. If this value is set to false, the system rolls over the existing log file and generates a new log file.
Default Value: true
log_message_format
Specifies the format of log messages that the system writes to the server.log file. The product supports all the log4j date pattern strings.
Default Value: [%d{dd/MMM/yyyy:HH:mm:ss-SSS}] [%p] - %m%n
Type of Log Rolling Used
The log rolling section determines when an existing log file is rolled over and a new log is generated. Enable a log to rollover based on the file size or the file date.
The entries that you can modify in this section are:
log4j.appender.SvrFileAppender.MaxFileSize=1MB log4j.appender.SvrFileAppender.MaxBackupIndex=10 #log4j.appender.SvrFileAppender.DatePattern='.'yyyy-MM-dd
MaxFileSize
Specifies the maximum size the log file can reach after which the system must create a log file.
Default Value: 1MB
MaxBackupIndex
Specifies the maximum number of log files that the system creates. If the number of log files exceed the MaxBackupIndex number, the system deletes the oldest log file and it generates a new one.
Default Value: 10
DatePattern
Specifies the date when the system must create a log file.
Default: yyyy-MM-dd
A new log file is created with the name <log_file_name>.<date_format>
log_file_name
Specifies the name of the log file.
Default: server.log
date_format
Specifies the date when the log file was created. The file supports all the log4j date pattern strings.
Default: yyyy-MM-dd
The log4j.properties file controls extra Administrative UI logging that the system writes to the server.log file. This file resides in the directory federation_install_dir\secure-proxy\Tomcat\webapps\fedui\WEB-INF\classes.
You can modify the following entries:
log4j.appender.UIConsoleAppender.layout.ConversionPattern=<log_message_format>
log_message_format
Specifies the format of the log message output to the console. The product supports all the log4j date pattern strings.
Default Value: [%p] %c - %m%n
log4j.rootCategory=<log_level>,<output_format>
log_level
Specifies the log level of a message. The following values are listed in an increasing order of priority:
OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL
To disable logging, set the log level to OFF. If the value is set to any other value, logging is enabled.
Default: INFO
output_format
Specifies whether a log message is output to a console, or in to file, or both.
Default: UIConsoleAppender
Example: To set the log level to INFO and display a log message in a console and in a file, use the following entry:
log4j.rootCategory=INFO,UIConsoleAppender,UIFileAppender
You can also uncomment the two DEBUG entries.
Enable XPS tracing to monitor federation data store objects. These activities are written to the smtracedefault.log. The smtracedefault.log is in the directory federation_install_dir\logs\server.
Follow these steps:
Type the command as it is shown here. The command is case-sensitive.
The Products Menu displays.
The Tracer Menu displays.
Use the stop and start shortcuts as follows. If you logged in as a network user and not a local administrator, right-click the shortcut and select Run as administrator.
a. Open a command window.
b. Run the following scripts:
federation_install_dir/fedmanager.sh stop
federation_install_dir/fedmanager.sh start
Note: Do not stop and start the services as the root user.
CA SiteMinder® Federation Standalone automatically creates an audit log, smaccess.log, located in the directory federation_install_dir/logs/server. This log remains empty until you enable logging for authentication events or authorization events, or both, using the XPSConfig command.
Note: XPSConfig is case-sensitive on UNIX platforms.
To enable audit logging
The Product Menu is displayed.
The list of parameters with their current values is displayed.
At the Enter Filter prompt enter report to find all the settings related to audit log.
Specifies the log settings for authentication events.
Specifies the log settings for authorization events.
1 = log all events
2 = log only rejection events
Audit logging is enabled.
Note: You can repeat this procedure at any time to update the settings for the audit log settings.
The default name for the audit log is smaccess.log, and the default location is federation_install_dir/logs/server. You can change these values.
Follow these steps:
Note: XPSConfig is case-sensitive on UNIX platforms.
The Product Menu is displayed.
The list of parameters and their values is displayed.
At the Enter Filter prompt enter text to find the setting related to audit log text file name.
The current value is displayed.
The new file name and location is saved.
You can use an ODBC database to record audit data instead of the default text file.
Follow these steps:
The audit log is in text format, by default. To store audit data in an ODBC database, change the storage type of the log.
Important! If you change the audit log storage type from TEXT to ODBC, you cannot change it back.
Follow these steps:
Note: XPSConfig is case-sensitive on UNIX platforms.
The Product Menu is displayed.
The list of parameters and their current values is displayed.
At the Enter Filter prompt enter store to find all the settings that are related to the audit log storage type.
The current value is displayed.
Note: Include the colon in the entry.
Note: Enter f to filter the list of settings. At the Enter Filter prompt, enter Db to find all the settings related to audit log database.
Specifies the data source user name for the audit log.
Limits: A string; only applies when LogStoreNamespace is set to ODBC:.
Specifies the data source user password for the audit log.
Limits: A string; only applies when LogStoreNamespace is set to ODBC:.
Specifies the data source name for the audit log.
Limits: A string; only applies when LogStoreNamespace is set to ODBC:.
Specifies the maximum number of connections to the data source for the audit log.
Default: 15
Limits: Must be an integer; only applies when LogStoreNamespace is set to ODBC:.
Specifies whether the audit log will use the same ODBC data source as the policy store.
Default: FALSE
Limits: TRUE or FALSE; only applies when LogStoreNamespace is set to ODBC:.
ODBC requires that you configure a data source for the MS SQL Server wire protocol.
To create the data source on Windows
The ODBC Data Source Administrator appears.
System data source settings appear.
The Create New Data Source dialog appears.
The ODBC SQL Server Wire Protocol Driver Setup dialog appears.
Example: CA SiteMinder® Federation Standalone Data Source.
Note: Take note of your data source name. This information is required as you configure your database as a policy store.
The connection settings are tested and a prompt appears specifying that the connection is successful.
The SQL Server data source is configured and appears in the System Data Sources list.
|
Copyright © 2013 CA.
All rights reserved.
|
|