Access Manager supports two types of logging:
Each Access Manager component maintains log files that contain entries documenting the operation of the component. Component file logging records the processing and interactions between the Access Manager components that occur while satisfying user and administrative requests and during general system processing. By enabling the correct levels of logging for the various Access Manager components, an administrator can monitor how the Access Manager processes user and administrative requests. Transaction flows have been defined to help the administrator identify the processing steps that occur during the execution of specific types of user or administrative requests. All component file logs include tags and values that allow the administrator to identify and correlate which component file log entries pertain to a given transaction and user.
Component file logs are not primarily intended for debugging the software itself, although they can be used to detect software that is not behaving properly. Rather, the intent of component file logging is to document the operational processing of the Access Manager components so that system administrators and support personnel can identify and isolate problems caused by configuration errors, invalid user data, or network problems such as broken connections. However, component file logging is typically the first step in identifying software bugs.
Component file logging is more verbose than audit logging. It increases processing load, and on a day-to-day basis, it should be enabled only to log error conditions and system warnings. If a specific problem occurs, component file logging can be set to or to gather the information needed to isolate and repair the detected problem. When the problem is resolved, component file logging should be reconfigured to log only error conditions and system warnings.
Log files can be configured to include entries for the following events:
Initialization and shutdown
Configuration
Events processed by the component, such as authentication, role assignment, resource access, and policy evaluation
Error conditions
See Configuring Component Logging
in the Novell Access Manager 3.1 SP4 Identity Server Guide.
The Access Gateway allows you to log HTTP transactions. You can log what happens with an HTTP request and response during certain times:
Between the browser and the Access Gateway
Between the Access Gateway and the back-end Web server
You select fields from the HTTP header of a request and these fields are logged. You can then use these logged transactions to bill customers for Web services or to troubleshoot whether a request is refused because the browser didn’t send the required information or because the Access Gateway didn’t send the Web server the required information.
This type of logging conforms to the W3C specification for proxy server logging in the common and extended log formats. This type of logging provides no information about the exchanges between the Access Gateway and the Identity Server. If you need to discover whether the Access Gateway is obtaining the correct information from the Identity Server for an Identity Injection or Form Fill policy, you need to turn on Component logging. See Configuring Component Logging
in the Novell Access Manager 3.1 SP4 Identity Server Guide.
For HTTP transaction logging, see Configuring Logging for a Proxy Service
in the NetIQ Access Manager 3.1 SP5 Access Gateway Guide.