Configuring and Collecting Logs
Log Files Location
Log files of all .Net components and utilities are written to text files located in the logs folders:
/etc/axidian/axidian-privilege/logs/Component_name/C:\inetpub\wwwroot\Component_name\logs\C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\logs\[axidian-pam-windows\MISC]\utilities folder\logs\
Description of the log files of the components: Core, IDP, LS
| File | core | idp | LS | log content |
|---|---|---|---|---|
| commands.log | + | + | all logs of the commands | |
| queries.log | + | + | all logs of the queries | |
| errors.log | + | + | + | all errors of the Axidian Privilege/LS |
| jobs.log | + | all logs of the jobs | ||
| events.log | + | all logs related to Events | ||
| connections.log | + | all logs of service connections | ||
| db.log | + | + | + | all logs related to DB access |
| hangfire.log | + | + | + | all logs from Hangfire |
| ils.log | + | all logs from LogServer client | ||
| full-yyyy-MM-dd.log | + | + | + | all logs of Axidian Privilege/LS with logger name and traceId |
| stdout_yyyyMMddHHmmss_xxxx.log | + | + | + | logs with errors from IIS |
Installation Script Logging
The installation script run-deploy.sh may fail with an error. In this case, you need to send the log file to technical support. Example of a script error:
Location of the log file: axidian-pam-linux/logs/deploy.log.
By default, the log file contains brief information. To get detailed log output you need to run the script with the -vvv option:
run-deploy.sh -vvv
ProxyApp
Logs are written to the folder: C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\logs\``shortDate\processId to separate logs from multiple runs on the same day. It is possible that there are two log files in the folder:
ffmpeg.log— debugging information from ffmpegPam.Proxy.App.log— all other logs
Utilities
All logs are written to the one file. Log file name doesn't contain a date. Log file name contains the name of the utility. For example: Pam.Tools.Migrator.log
Native Components Logging
The list of the native components is following:
- MstscAddin
- WindowsAgent
- Pam.Service
- Pam.Putty
- ProcessCreateHook
To enable/receive logs, you can use the Axidian Privilege GetLog utility. Logs are saved to a directory C:\\Windows\\System32\\LogFiles\\Axidian. Each process has its own separate directory.
nix Components Logging
SSH Proxy
All logs are written to the one file — ${ISODate}.log.
File location: /etc/axidian/axidian-privilege/logs/ssh``/
PAMSU
All logs generated by our code are written to the one file — ${ISODate}.log.
File location: /opt/Axidian Privilege/pamsu/logs/.
In addition, it is possible to enable logging of code provided by sudo. This is done via changes to the file /etc/pamsu.conf. The rules for setting up and managing are the same as for sudo. See man sudo.conf.
Configuring Logging
A json file is used for logging configuration (appsettings.json).
Configuration Appsettings.json
File appsettings.json locates at:
- C:\inetpub\wwwroot\component_name\appsettings.json — management server Windows.
- C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\appsettings.json — access server Windows.
- /etc/axidian/axidian-privilege/component_name/appsettings.json — management or access server Linux.
Section NLog
The variables parameter is a section where you can set variables to further configure logging. The number of variables is unlimited. This parameter is optional.
"variables": {
"minLevel": "Trace",
"dbMinLevel": "Info"
}
The value of a variable can be inserted into an attribute value via the ${varname} syntax.
Each log entry has a level. And each logger is configured to include or ignore certain levels. A common configuration is to specify the minimum level where that level and higher levels are included. For example, if the minimum level is Info, then Info, Warn, Error and Fatal are logged, but Debug and Trace are ignored.
The log levels ordered by severity:
| LogLevel | Ordinal | Severity |
|---|---|---|
| Trace | 0 | Most verbose level. Used for development and seldom enabled in production. |
| Debug | 1 | Debugging the application behavior from internal events of interest. |
| Info | 2 | Information that highlights progress or application lifetime events. |
| Warn | 3 | Warnings about validation issues or temporary failures that can be recovered. |
| Error | 4 | Errors where functionality has failed or Exception have been caught. |
| Fatal | 5 | Most critical level. Application is about to abort. |
The common configuration is to specify a minimum level in which this level and higher levels are included. For example, if the minimum level is Info, then Info, Warn, Error and Fatal are registered, but Debug and Trace are ignored.
Section rules — controls how LogEvents from the Logger-objects are redirected to output targets. Each type of log has its own name, which is not recommended to edit.
"Rules": {
"03_Hangfire": {
"logger": "Hangfire.*",
"minLevel": "Info",
"writeTo": "hangfireFile",
"final": true
},
"20_Errors": {
"logger": "*",
"minLevel": "Error",
"writeTo": "errorsFile"
},
"40_Commands": {
"logger": "Idp.Application.*Command",
"minLevel": "${minLevel}",
"writeTo": "commandsFile",
"Enabled": false
},
}
For each type of log, you can specify the following tags:
logger — logger name — this is usually the name of the element associated with the log line in the code (class name). May contain wildcard characters (* and ?). Thus, the rule name '*' corresponds to any logger name, and 'Common*' corresponds to all loggers whose names begin with 'Common'. It is not recommended to edit this parameter.
LogLevel — logging levels, it is possible to specify several levels at once:
- minlevel — minimum level to log.
- maxlevel — maximum level to log.
- level — single level to log.
- levels — comma separated list of levels to log.
writeTo — comma separated list of targets to write to.
final — no rules are processed after a final rule matches.
enabled — set to false to disable the rule without deleting it.
- parameter targets – defines log targets/outputs (optional parameter)
- parameter extensions – loads NLog extensions from the *.dll file (optional parameter)
- parameter include – includes external configuration file (optional parameter)
Configuring NLog.json file
Each component that records logs has a file NLog.json, which specifies where and how logs will be recorded. For Windows NLog.json file locates in the same path as the appsettings file.json and is configured for each component separately.
Section NLog
Parameter variables — sets the value of a configuration variable. The number of variables is unlimited. (optional parameter).
Section Targets
Each type of log has its own name, which is not recommended to edit.
- type — The type of the saved log. Editing is not recommended.
- layout — Тhe text to be displayed. Editing is not recommended.
- fileName — Recording logs directory.
- archiveFileName — Storing directory for filled logs.
- archiveAboveSize — Maximum size of log file, specified in bytes.
- archiveNumbering — Method of numbering file archives.
- maxArchiveFiles — The number of stored filled logs . Old filled logs are deleted when new ones appear.
The directory for recording and storing logs is specified in one of two formats "C:\Logs\logs.log" or "C:\\LogsArch\\logs.{#####}.log".
The {#####} is specified only in archiveFileName parameter. This is necessary for numbering filled logs.
If log rotation is enabled, then the directory of the recorded log and the directory of the filled logs must be different.
Example of configuration for errors log:
"targets":{
"errorsFile": {
"type": "File",
"layout": "${loggerLayout}",
"fileName": "C:\Logs\errors.log",
"archiveFileName": "C:\\LogsArch\\errors.{#####}.log",
"archiveAboveSize": 1000000,
"archiveNumbering": "Sequence",
"maxArchiveFiles": 2
}
}
Log rotation is not enabled by default.