Policy logging is expensive; it uses processing time and disk space. In a production environment, you must enable it only under the following types of conditions:
You have created a new policy and need to verify its functionality.
You are troubleshooting a policy that is not behaving as expected.
To gather troubleshooting information, you must enable the File Logging and Echo To Console options in Identity Server configuration and set the Component File Logger Levels for Application to at least info. Then you must update Identity Server configuration and restart any Access Gateway Embedded Service Providers, so that the Embedded Service Providers read the logging options. See Section 22.3.1, Configuring Logging for Identity Server. When you have solved the problem, you must disable these options.
The log file on the component that executed the policy is where you must look for logging information. For example, if you have an Access Gateway: Authorization error, look at the log on Access Gateway that executed the policy.
For additional policy troubleshooting procedures, see Section 31.6, Troubleshooting Access Manager Policies.