Question & Answer
Question
How to rollover logs for TAM Policy Server, Proxy Policy Server and Authorization server and WebSEAL
Cause
With default settings, the message logs for TAM components will grow continuously and become unmanageable. Opening and reviewing such files during problem determination, can be cumbersome.
Answer
Routing files allow you to control event logging as follows:
- Whether to enable logging for specific event class
- Where to direct output for each event class
- How many log files to use for each event class
- How large each file can be for each event class
Steps to enable message log rotation for the various TAM components:
1. Policy server
Windows %PD_HOME%\etc\pdmgrd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrd_routing
Make the following changes in pdmgrd_routing
FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
Follow the FILE destination by a period and two numbers that are separated by a period (for example, FILE.10.100). The first value indicates the number of files to use. The second value indicates the number of events each file can contain. If you do not specify these values, there is only one log file that grows without limits.
2. Authorization Server
Authorization server
Windows %PD_HOME%\etc\pdacld_routing
Linux and UNIX /opt/PolicyDirector/etc/pdacld_routing
Make the following changes in pdacld_routing
FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
3. Proxy Policy server
Policy proxy server
Windows %PD_HOME%\etc\pdmgrproxyd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrproxyd_routing
Make the following changes in pdmgrproxyd_routing
FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
4. Webseal
A. Instructions for enabling rollover for WebSEAL agent.log, referer.log and request.log on a WebSEAL server are as follows:
i) In the [logging] stanza of each webseald.conf there is a max-size parameter (whose default is 2000000) that causes rollover to happen when file size reaches this limit.
- if set to 0, rollover is disabled.
- if set to a negative value, rollover happens daily.
ii) HTTP logging using event auditing can also be configured in the [aznapi-configuration] stanza of the WebSEAL configuration file.
logcfg = category:{stdout|stderr|file|pipe|remote} [[param[=value]] [,param[=value]]...]
eg.
logcfg = http:file path=/var/pdweb/log/http.log,flush_interval=20, rollover_size=2000000
B. The webseald msg log is not controlled from within the webseal conf file, but instead, via the routing file.
--------------------------------------------
The contents of the msg__webseald.log file come from webseal's STDERR, as controlled in the /opt/pdweb/etc/routing file
FATAL:STDERR:-
ERROR:STDERR:-
WARNING:STDERR:-
The routing file can be modified to redirect these messages to a file, and the log file management can be configured at the same time. For example...
FATAL:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log
ERROR:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log
WARNING:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log
If you have multiple webseal instances on the same system, the default is that they will all use the same routing file. Because it's not desirable to have logging from more than one webseal in the same file, it is necessary to get each instance to use a separate routing file (each configured with a separate log file).
The environment variable PD_SVC_ROUTING_FILE can be set to point to a specific routing file which webseal will use when starting up. This allows you to have a different routing file for each instance, which allows you to configure a different log file for each instance.
Then you could write a script which will set the PD_SVC_ROUTING_FILE to point to the appropriate routing file before starting the instance, such as...
PD_SVC_ROUTING_FILE=/opt/pdweb/etc/routing.instance1
export PD_SVC_ROUTING_FILE
/opt/pdweb/bin/pdweb_start start instance1
NOTE: The customer needs to plan the number of files, that can be safely created in their environment, without being overwriting. The logs should then be archived on a regular basis.
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
TAM;TAMeb;Policy server;Proxy policy server;Authorisation server
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21611840