You can increase the logging levels for Identity Governance and the Identity Governance clients to have a more granular view of the events occurring. OSP and Identity Reporting do not provide the granular view that Identity Governance provides.
Identity Governance allows you to set the following logging levels:
Info
Warning
Error
Fatal
Debug
Trace
None
You can use the following information to enable or increase the logging levels for Identity Governance and Identity Governance clients, or you can use the Identity Governance Configuration menu to set logging levels. For more information, see Managing Logging Levels
in the Identity Governance User and Administration Guide.
In prior releases of Identity Governance, you had to edit the ig-server-logging.xml file to add your audit server details, the TLS information, and to enable the auditing service. Now, you use the Identity Governance Configuration Update utility to enable auditing. You can still edit part of the ig-server-logging.xml file to set the level of logging details provided by the auditing service in Identity Governance.
WARNING:Use the Identity Governance Configuration Update utility to change the server details, TLS settings, and to enable auditing. If you make changes for these options in the ig-server-logging.xml file, it can cause the Identity Governance Configuration Update utility to no longer affect the audit settings.
The ig-server-logging.xml file is an XML file. It contains three parts. You must understand what each part does and which part to edit and not to edit. The parts are listed by XML parent-child relationships.
audit/syslog: This section contains the global auditing setting.
WARNING:Use the Identity Governance Configuration Update utility to change the settings for the server details, TLS settings, and to enable auditing. If you make changes for these options in the ig-server-logging.xml file, it can cause the v Configuration Update utility to no longer affect the audit settings.
audit/httpAuditData: This section is a filter that indicates whether the audit event includes a copy of the HTTP request data, the HTTP response data, both, or only the ID. The options are:
ALL: The auditing log includes a copy of the HTTP request data, the HTTP response data, and the ID of the REST call.
REQUEST: The auditing log includes a copy of the HTTP request data.
RESPONSE: The auditing log includes a copy of the HTTP response data.
ID_ONLY: The auditing log includes only the ID of the REST call.
loggers: This section contains all of the Identity Governance auditing and logging service. You edit this section to customize auditing and logging levels for your environment. There are four types of loggers. They are:
Logger names not prefixed with “audit”: These loggers are regular and not auditing loggers. These loggers control standard logging output to the logging files such as INFO, DEBUG, ERROR, and so forth. You can add or remove this type of logger and adjust the logging level of each logger to what is appropriate for your environment or situation.
Logger names prefixed with “audit” and ending in a class name: These are the audit loggers that control specific REST services.
The INFO level enables auditing for the services listed in the class name. Any other level turns off auditing for the service in Identity Governance.
Logger names prefixed with “audit” and ending in an HTTP method (GET, PUT, POST, or DELETE): These audit loggers enable auditing only for a specified HTTP method for the named class. You would use these loggers to show data modifications rather than only seeing the queries in the auditing logs.
For example, if you add three lines for the class audit.com.netiq.iac.server.rest.CollectionService appended with PUT, POST, and DELETE, the auditing log shows the data modification carried out by that service but the auditing logs would not contain any queries.
Logger names prefixed with “audit” and ending in an integer even ID: These are a specific type of loggers that target only one method of a service class, as each method has a unique event ID. You can see a list of all of the events in the AuditEventTable.pdf.
After you understand the loggers in the ig-server-logging.xml file, you can change the loggers that are appropriate for your environment.
To edit the ig-server-logging.xml file:
Open the ig-server-logging.xml file in a text editor. The default location is:
Linux: /opt/netiq/idm/apps/tomcat/conf
Windows: C:\netiq\idm\apps\tomcat\conf
Change the appropriate settings for the loggers for your environment.
Save and close the file.
Restart Apache Tomcat. For more information, see Section 3.4.3, Starting and Stopping Apache Tomcat.
Identity Governance contains application-specific logging configuration files to help obtain debugging information from the Identity Governance clients. In the past, you would have to add client-specific logging configuration information in the general Apache Tomcat logging.properties file.
There are two application-specific logging configuration files that you can edit and enable the loggers per the request of technical support. The two files are:
ig-client-logging.xml
cx-client-logging.xml