<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! http://creativecommons.org/licenses/by-nc-nd/3.0/
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! src/main/resources/legal-notices/CC-BY-NC-ND.txt.
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2016 ForgeRock AS.
!
-->
<chapter xml:id='chap-log-messages'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook
http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Log Files and Messages</title>
<para>
This chapter gives information about the different log files and messages
for OpenAM's classic Logging Service, which is based on the Java SDK.
</para>
<note>
<para>
OpenAM 13.0.0 introduces a new Audit Logging Service, which is an
audit logging framework common across all ForgeRock products. Both
logging services are available in OpenAM ${serverDocTargetVersion}, but
the classic Logging Service will be deprecated in a future release.
</para>
</note>
<section xml:id="log-files">
<title>Log Files</title>
<para>This section describes the different OpenAM log files.</para>
<section xml:id="log-audit-files">
<title>Audit Log Files</title>
<para>
This chapter describes OpenAM audit log files:
</para>
<variablelist>
<para>Audit logs record information about OpenAM events. You can adjust the
amount of detail in the administrative logs under Configuration &gt; System &gt;
Logging.</para>
<indexterm>
<primary>Logs</primary>
<secondary>Administrative Files</secondary>
</indexterm>
<varlistentry>
<term>amAuthentication.access</term>
<listitem>
<para>Contains log data for when users log into and out of OpenAM, including failed
authentications</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amAuthentication.error</term>
<listitem>
<para>Contains log data about errors encountered when users login and out of OpenAM</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amConsole.access</term>
<listitem>
<para>Contains data about actions run as the administrator in the console, including
changes to realms and policies</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amConsole.error</term>
<listitem>
<para>Contains data on errors encountered during administrator sessions</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amPasswordReset.access</term>
<listitem>
<para>Contains data about password resets</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amPolicy.access</term>
<listitem>
<para>Contains data about authorization actions permitted by policies, including
policy creation, removal, or modification</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amPolicy.error</term>
<listitem>
<para>Contains data on errors encountered during actions related to the policy</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amPolicyDelegation.access</term>
<listitem>
<para>Contains data about actions as part of the policy delegation, including any
changes to the delegation</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amRemotePolicy.access</term>
<listitem>
<para>Contains data about policies accessed remotely</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amRest.access</term>
<listitem>
<para>
Contains data about access to REST endpoints
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amRest.authz</term>
<listitem>
<para>
Contains data about authorizations to access REST endpoints
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>amSSO.access</term>
<listitem>
<para>Contains data about user sessions, including times of access, session time outs,
session creation, and session termination for stateful sessions; contains data about
session creation and session termination for stateless sessions</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CoreToken.access</term>
<listitem>
<para>Contains data about actions run against the core token</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CoreToken.error</term>
<listitem>
<para>Contains data on errors encountered regarding the core token</para>
</listitem>
</varlistentry>
<varlistentry>
<term>COT.access</term>
<listitem>
<para>Contains data about the circle of trust</para>
</listitem>
</varlistentry>
<varlistentry>
<term>COT.error</term>
<listitem>
<para>Contains data on errors encountered for the circle of trust</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Entitlement.access</term>
<listitem>
<para>Contains data about entitlement actions or changes</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IDFF.access</term>
<listitem>
<para>Contains data about federation actions, including the creation of
authentication domains or the hosted providers</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IDFF.error</term>
<listitem>
<para>Contains data on errors encountered during federation actions</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Liberty.access</term>
<listitem>
<para>Contains data about actions run for the federation Liberty schema</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Liberty.error</term>
<listitem>
<para>Contains data on errors encountered for the federation Liberty schema</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OAuth2Provider.access</term>
<listitem>
<para>Contains data about actions for the OAuth 2.0 provider</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OAuth2Provider.error</term>
<listitem>
<para>Contains data about errors encountered by the OAuth 2.0 provider</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML2.access</term>
<listitem>
<para>Contains data about SAML 2 actions, including changes to assertions, artifacts,
response, and requests</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML2.error</term>
<listitem>
<para>Contains data about errors encountered during SAML 2 actions</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML.access</term>
<listitem>
<para>Contains data about SAML actions, including changes to assertions, artifacts,
response, and requests</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML.error</term>
<listitem>
<para>Contains data about errors encountered during SAML actions</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssoadm.access</term>
<listitem>
<para>Contains data about actions completed for SSO as admin</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WebServicesSecurity.access</term>
<listitem>
<para>Contains data about activity for Web Services Security</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WebServicesSecurity.error</term>
<listitem>
<para>Contains data on errors encountered by Web Services Security</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSFederation.access</term>
<listitem>
<para>Contains data about activity for WS Federation, including changes and
access information</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSFederation.error</term>
<listitem>
<para>Contains data on errors encountered during WS Federation</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="log-debug-files">
<title>Debug Log Files</title>
<para>
Debug log files provide information to help troubleshoot
OpenAM problems.
</para>
<para>
The number of messages that OpenAM logs to the debug log files
varies depends on the debug logging level. The default debug
logging level is Error. With other logging levels, such as Warning and
Message, OpenAM logs many more debug log messages and creates many
more debug log files than it does by default.
</para>
<para>
When configured with the Message logging level, OpenAM can produce
more than a hundred debug log files.
Use the debug log file names to determine the type of troubleshooting
information in each file. For example, the OpenAM command-line interface
logs debug messages to the <filename>amCLI</filename> debug file.
The OpenAM OAuth2 provider logs debug messages to the
<filename>OAuth2Provider</filename> debug file. The OpenAM Naming Service
logs messages to the <filename>amNaming</filename> debug file.
</para>
<!-- There are over a hundred different debug log files.
It does not make much sense to list nine of them in this section.
Leaving in what was here before in case someone would like to
restore this list or put together a list with all the debug files.
<para>
The following are some examples of debug log file names:
</para>
<indexterm>
<primary>Logs</primary>
<secondary>Debug Log Files</secondary>
</indexterm>
<varlistentry>
<term>Authentication</term>
<listitem>
<para>Contains information about problems encountered during user authentication,
including authentication services, framework, modules, callbacks, JAAS, and API</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Configuration</term>
<listitem>
<para>Contains information about problems with the OpenAM configuration</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CoreSystem</term>
<listitem>
<para>Contains information about problems specific to your core deployment of
OpenAM that are not part of the authentication process or part of your current
configuration, including core infrastructure services, PLL, cookies, naming,
logging, and upgrades</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Entitlement</term>
<listitem>
<para>Contains information about problems specific to entitlement</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Federation</term>
<listitem>
<para>Contains information about problems specific to federation, including
federated SSO, the federation protocols (SAML, SAML 2.0, ID-FF, and WS-Federation),
metadata, hub, and circles of trust</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IdRepo</term>
<listitem>
<para>Contains information about problems specific to the identity repository,
including datastores and plugins</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Policy</term>
<listitem>
<para>Contains information about problems specific to the policies you have setup,
including policy framework, their subjects, conditions, resource attributes,
plugins, and API</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Session</term>
<listitem>
<para>Contains information about problems specific to OpenAM sessions, including
session framework, management SSOToken, failover, and API</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WebServices</term>
<listitem>
<para>Contains information about problems specific to Web Services, including
STS and Identity Services</para>
</listitem>
</varlistentry>
</variablelist>
-->
<para>
For information about configuring the location and verbosity of
debug log files, see the section on
<link
xlink:show="new"
xlink:href="admin-guide#debug-logging"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Debug Logging</citetitle>
</link>
in the <citetitle>OpenAM Administration Guide</citetitle>.
</para>
</section>
</section>
<section xml:id="log-messages">
<title>Log Messages</title>
<para>This section describes OpenAM log messages.</para>