Understanding the settings of the enRoleLogging.properties file in ITIM

Question & Answer

Question

If more or less information is required from the ITIM logs, what changes should be made to achieve this?

Answer

The IBM Tivoli Identity Manager (ITIM) application provides a significant level of logging configuration. This is done via jlog, a logging package for Java which logs messages according to message type and priority. It also allows for control of the log content, how the messages are formatted, and where they are reported.

This is important for System administrators so they can select how detailed the log file should be, and include detail necessary for proper troubleshooting. It is important to understand that modification of logging levels can have an impact on ITIM performance. Thus any logging changes should be done judiciously, and preferably at the direction of the ITIM support group.

The logger.trace.level is the "root" level logging setting, and is set to DEBUG_MIN by default. This MIN level should be sufficient for regular use, but occasionally it may be necessary to increase the logging levels.

Below is content from the logging section in the $ITIM_HOME/data/enRoleLogging.properties file, taken from an ITIM 5.1 system. As noted in this enRoleLogging.properties file "Edit the level of these component loggers to adjust the amount of information written to the trace log".

The supported trace levels are:

DEBUG_MIN - the default and lowest level of logging verbosity
DEBUG_MID
DEBUG_MAX - the most verbose level, with the biggest performance impact

logger.trace.com.ibm.itim.adhocreport.level=DEBUG_MIN
logger.trace.com.ibm.itim.adhocreport.crystal.level=DEBUG_MIN
logger.trace.com.ibm.itim.adhocreport.changelog.level=DEBUG_MIN
logger.trace.com.ibm.itim.adhocreport.synchronization.level=DEBUG_MIN
logger.trace.com.ibm.itim.apps.level=DEBUG_MIN
logger.trace.com.ibm.itim.apps.ejb.adhocreport.level=DEBUG_MIN
logger.trace.com.ibm.itim.authentication.level=DEBUG_MIN
logger.trace.com.ibm.itim.authorization.level=DEBUG_MIN
logger.trace.com.ibm.itim.cache.level=DEBUG_MIN
logger.trace.com.ibm.itim.common.level=DEBUG_MIN
logger.trace.com.ibm.itim.dataservices.model.level=DEBUG_MIN
logger.trace.com.ibm.itim.fesiextensions.level=DEBUG_MIN
logger.trace.com.ibm.itim.mail.level=DEBUG_MIN
logger.trace.com.ibm.itim.messaging.level=DEBUG_MIN
logger.trace.com.ibm.itim.orchestration.level=DEBUG_MIN
logger.trace.com.ibm.itim.passworddelivery.level=DEBUG_MIN
logger.trace.com.ibm.itim.policy.level=DEBUG_MIN
logger.trace.com.ibm.itim.remoteservices.level=DEBUG_MIN
logger.trace.com.ibm.itim.remoteservices.installation.level=DEBUG_MIN
logger.trace.com.ibm.itim.report.level=DEBUG_MIN
logger.trace.com.ibm.itim.scheduling.level=DEBUG_MIN
logger.trace.com.ibm.itim.script.level=DEBUG_MIN
logger.trace.com.ibm.itim.sdo.level=DEBUG_MIN
logger.trace.com.ibm.itim.security.level=DEBUG_MIN
logger.trace.com.ibm.itim.systemConfig.level=DEBUG_MIN
logger.trace.com.ibm.itim.util.level=DEBUG_MIN
logger.trace.com.ibm.itim.webclient.level=DEBUG_MIN
logger.trace.com.ibm.itim.workflow.level=DEBUG_MIN
logger.trace.com.ibm.daml.level=DEBUG_MIN
logger.trace.com.ibm.dsml.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.common.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.controller.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.customizer.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.help.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.impl.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.listener.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.tasklauncher.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.validator.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.view.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.viewmodel.level=DEBUG_MIN
logger.trace.com.ibm.itim.ui.struts.level=DEBUG_MIN
logger.trace.com.ibm.itim.applet.level=DEBUG_MIN

These categories represent standard ITIM components, but support may have you add components not listed by default. You can configure each component individually to override the root category logging level. Uncomment the appropriate line to enable the individual component logging configuration. This will override the root category logging setting to provide details on the specific component you have uncommented.

If more detailed information is desired in the log than is being provided with the logging level set to DEBUG_MIN, then the MID or MAX setting should be considered. This is done by uncommenting the appropriate component and setting the desired DEBUG level. The DEBUG_MAX setting should be used with caution as some components can generate a tremendous amount of logging detail.

When ITIM is installed and configured, and no further troubleshooting is required of the ITIM log files, then be sure to confirm all logger component settings are returned to DEBUG_MIN and/or are commented out. This will help to ensure the least amount of impact to overall ITIM performance.

To exercise increased logging levels it is necessary to enable the appropriate component and increase the logging level accordingly. Here are a few examples of different components and their typical use:

1. For Reporting related issues:

logger.trace.com.ibm.itim.adhocreport.level
logger.trace.com.ibm.itim.apps.ejb.adhocreport.level
logger.trace.com.ibm.itim.report.level

2. For API issues:

logger.trace.com.ibm.itim.apps.level

3. For ACI issues:

logger.trace.com.ibm.itim.authorization.level

4. For JavaScript issues:

logger.trace.com.ibm.itim.fesiextensions.level
logger.trace.com.ibm.itim.script.level

5. For policy issues:

logger.trace.com.ibm.itim.policy.level
logger.trace.com.ibm.itim.fesiextensions.level
logger.trace.com.ibm.itim.script.level

6. For any Adapter related issues (provisioning, reconciliation, etc):

logger.trace.com.ibm.itim.remoteservices.level

7. For messaging and Scheduled Request issues:

logger.trace.com.ibm.itim.messaging.level
logger.trace.com.ibm.itim.scheduling.level

8. For User Interface issues:

logger.trace.com.ibm.itim.webclient.level
logger.trace.com.ibm.itim.ui.level

9. For Workflow issues:

logger.trace.com.ibm.itim.workflow.level
logger.trace.com.ibm.itim.workflowextensions.level

10. For Lifecycle rule issues:

logger.trace.com.ibm.itim.orchestration.lifecycle.level
(this will show the actual filter passed to LDAP, in addition to other information about LCR processing)

The Related Information section below contains the URL where you can find more details on the enRoleLogging.properties file. As always please contact support with any questions regarding changes to the logging levels.

NOTE: to modify the logging levels in ISIM 7.0.1, perform the following steps:

1. Login to the ISIM 7.0.1 Virtual Appliance web console
2. Navigate to Manage > Maintenance > Log Retrieval and Configuration
3. Click the "Configure" button
4. Select the Identity Manager tab
5. Click the "New" button
6. Select the package you'd like to edit log levels for (or manually type in the package name if not in the list provided).
7. Select the desired Trace Level
8. Click the "Save Configuration" button

Related Information

ITIM 5.1 Info Center enRoleLogging.properties reference

[{"Product":{"code":"SSRMWJ","label":"IBM Security Identity Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0;5.1;7.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ITIM TIM isim sim enrole

Was this topic helpful?

Document Information

Modified date:
20 March 2020

UID

swg21140410

Tips