A policy log entry starts with the standard log entry elements: <amLogEntry> followed by the correlation tags.
For information about correlation tags, see Understanding the Correlation Tags in the Log Files.
The following log entry is a trace of an evaluation of a Role policy:
<amLogEntry> 2009-06-07T21:40:25Z INFO NIDS Application: AM#500199050: AMDEVICEID#9921459858EAAC29: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: IDP RolesPep.evaluate(), policy trace: ~~RL~0~~~~Rule Count: 1~~Success(67) ~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67) ~~CS~1~~ANDs~~1~~True(69) ~~CO~1~LdapGroup(6645):no-param:hidden-value:~ldap-group-is-member-of~SelectedLdapGroup(66455):hidden-param:hidden-value:~~~True(69) ~~PA~ActionID_1181252224665~~AddRole~Manager~~~Success(0) ~~PC~ActionID_1181252224665~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Manager),Rule=(1::RuleID_1181251958207),Action=(AddRole::ActionID_1181252224665)~AdditionalRole(6601):unknown():Manager:~~~Success(0) </amLogEntry>
The Role policy evaluated in this entry has the following definition:
Figure 33-9 Manager Policy Definition
The following sections use this policy and its trace to explain the information contained within each line of a policy trace. The policy trace part of the entry starts with a policy trace:, which is followed by one or more of the following types:
Elements within a type are separated from each other with the tilde (~) character. If an element does not have a value, no value is inserted, which results in two or more tildes between values. Two tildes means one element didn’t have a value, three tildes means that two elements didn’t have values, and so forth.
An RL trace has the following fields:
~<RuleListID>~~~~<RuleCount>~~<Result>
A RL trace looks similar to the following:
~~RL~1~~~~Rule Count: 1~~Success(67)
Table 33-4 describes the fields found in an RL trace.
Table 33-4 Fields in a Rule List Trace
Element |
Description |
---|---|
<RuleListID> |
The identifier assigned to the rule list. In the sample RL trace, this is 1. |
<RuleCount> |
The number of rules defined for the policy. In the sample RL trace, this is Rule Count: 1, indicating that there is one rule in the policy. |
<Result> |
A string followed by a number that specifies the result of the evaluation. See Policy Result Values. In the sample RL trace, this is Success(67), indicating success. |
An RU trace has the following fields:
~<RuleID>~<ParentPolicyName>~<ConditionSetJoinType>~~<ConditionSetCount: ActionCount>~~<Result>
An RU trace looks similar to the following:
~~RU~RuleID_1181251958207~Manager~DNF~~1:1~~Success(67)
Table 33-5 describes the fields of a Rule Evaluation Result trace.
Table 33-5 Fields in a Rule Evaluation Result Trace
Element |
Description |
---|---|
<RuleID> |
The identifier assigned to the rule. In this sample, the element is set to RuleID_1181251958207. |
<ParentPolicyName> |
The name of the parent policy to which the rule is assigned. In this sample RU trace, this element is set to Manager. |
<ConditionSetJoinType> |
The type of joining that occurs between conditions and condition sets. It is set to one of the following:
In the sample RU trace, this element is set to DNF. |
<ConditionSetCount:ActionCount> |
The number of condition sets and actions defined for this rule. In the sample RU trace, this is 1:1, for one condition set and one action. |
<Result> |
A string followed by a number that specifies the result of the evaluation. See Policy Result Values. In the sample RU trace, this is Success(67), indicating that the rule was successfully evaluated. |
A CS trace has the following fields
~<ConditionSetID>~<JoinType>~<NOT>~<ConditionCount>~~<Result>
A CS trace looks similar to the following:
~~CS~1~~ANDs~~1~~True(69)
Table 33-6 describes the fields in a Condition Set trace.
Table 33-6 Fields in a Condition Set Trace
Element |
Description |
---|---|
<ConditionSetID> |
The identifier assigned to the condition set. Rules can have multiple condition sets. In this sample CS trace, this is 1, for the first and only condition set defined for the rule. |
<JoinType> |
Specifies how the condition results are combined, if there are multiple condition sets. Possible values include ANDs and ORs. In this sample CS trace, this is ANDs. |
<NOT> |
The string NOT if the result was negated prior to reporting; otherwise the field has no value. This is the If Not option when creating a condition group. In the sample CS trace, the condition group was not negated, therefore the field is not present. |
<ConditionCount> |
The number of conditions defined in the condition group. In the sample CS trace, this element has the value of 1. |
<Result> |
A string followed by a number that specifies the result of the evaluation. See Policy Result Values. In this sample, this is True (69), indicating that the condition evaluated to True. |
A CO trace has the following fields:
~<ConditionID>~<LHSOperand>~<Operator>~<RHSOperand>~<NOT>~<Result>[~<ResultOnError>]
A CO trace looks similar to the following:
~~CO~1~LdapGroup(6645):no-param:hidden-value:~ldap-group-is-member-of~SelectedLdapGroup(66455):hidden-param:hidden-value:~~~True(69)
Table 33-7 describes the fields in a Condition trace.
Table 33-7 Fields in a Condition Trace
Element |
Description |
---|---|
<ConditionID> |
The identifier assigned to the conditions in the condition group. The first condition is assigned 1. In the sample CO trace, this is 1. |
<LHSOperand> |
The enumerative value and parameter list of the left operand. It is the first value specified for the comparison and has the following format: <Condition Name(Data ID)>: <Parameter> : <Value> The Condition Name is the string assigned to the condition type specified in the policy. The Data ID is a numerical value assigned to the condition type. <Parameter> contains one of the following strings:
In the sample CO trace, this is LdapGroup(6645):no-param:hidden-value. LdapGroup is the string for the LDAP Group condition. The policy specified [Current], so no parameters were specified. The groups that the user belongs to are considered sensitive data, so the log file displays hidden-value for the names of the groups. |
<Operator> |
The display name of the comparison operator. In the sample CO trace, this is ldap-group-is-member-of. In the policy, this is displayed as LDAP Group: Is Member of. |
<RHSOperand> |
The enumerative value and parameter list of the right operand. It is the second value specified for the comparison and has the same format as the <LHSOperand>. In the sample CO trace, this is SelectedLdapGroup(66455):hidden-param:hidden-value. The actual policy specifies LDAP Group as the parameter, and the value is the DN of the group. |
<NOT> |
The string NOT if the result was negated prior to reporting; otherwise the field has no value. This is the If Not option when creating a condition. In the sample CO trace, this condition result was not negated, therefore the field is represented by a tilde. |
<Result> |
A string followed by a number that specifies the result of the comparison. See Policy Result Values. In the sample CO trace, this is True (69), indicating that the condition evaluated to True—the user is a member of the specified LDAP group. |
<ResultOnError> |
A string describing the error that occurred. This is an optional field that only appears when the condition evaluation results in an error. The sample CO trace did not result in an error, so it has no string. |
A PA trace has the following fields:
~<ActionID>~<TraceString1>~<TraceString2>~<TraceString3>~<Result>
A PA trace looks similar to the following:
~~PA~ActionID_1181252224665~~AddRole~Manager~~~Success(0)
Table 33-8 describes the fields in a Policy Action trace.
Table 33-8 Fields in a Policy Action Trace
Element |
Description |
---|---|
<ActionID> |
The identifier assigned to the action. In the sample PA trace, this is ActionID_1181252224665. |
<TraceString1> |
The message specified with the action. In the sample PA trace, this is AddRole. |
<TraceString2> |
The second part of the specified message. In the sample PA trace, this is Manager. |
<TraceString3> |
The third part of the specified message. In the sample PA trace, this field has no value and is not present. |
<Result> |
A string followed by a number that specifies the result of the assigning the action. See Policy Result Values. In the sample PA trace, this is Success(0), which indicates that the action of assigning the Manager role to the user was successful. |
A PC trace has the following fields:
~<ActionID>~<ActionName>~<ActionParmeters>~~~<Result>[~<ActionError>]
A PC trace looks similar to the following:
~~PC~ActionID_1181252224665~~Document=(ou=xpemlPEP,ou=mastercdn, ou=ContentPublisherContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell:romaContentCollectionXMLDoc),Policy=(Manager),Rule=(1::RuleID_1181251958207),Action=(AddRole::ActionID_1181252224665)~AdditionalRole(6601):unknown():Manager:~~~Success(0)
Table 33-9 Fields in a Policy Action Completion Trace
Element |
Description |
---|---|
<ActionID> |
The ID assigned to the action. In the sample PC trace, this is ActionID_1181252224665. |
<ActionName> |
The fully distinguished name of the action. In the sample PC trace, the action has the following parts in its name:
|
<ActionParmeters> |
A list of the action parameters passed to the action handler. In this sample PC trace, the Role policy has an action and a parameter. The value of this element is AdditionalRole(6601):unknown(): Manager: |
<Result> |
A string followed by a number that specifies the result. See Policy Result Values. In the sample PC trace, this is Success(0)and indicates success. |
<ActionError> |
A string describing the error that occurred when invoking the action. This is an optional field that only appears when the Result field contains an error code. The sample PC trace did not result in an error, so it has no string. |