Log management for TAM Policy Server, Proxy, Auth server and WebSEAL

Answer

Routing files allow you to control event logging as follows:

• Whether to enable logging for specific event class
• Where to direct output for each event class
• How many log files to use for each event class
• How large each file can be for each event class

Steps to enable message log rotation for the various TAM components:

1. Policy server

Windows %PD_HOME%\etc\pdmgrd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrd_routing

Make the following changes in pdmgrd_routing

FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrd_utf8.log:644:ivmgr:ivmgr


Follow the FILE destination by a period and two numbers that are separated by a period (for example, FILE.10.100). The first value indicates the number of files to use. The second value indicates the number of events each file can contain. If you do not specify these values, there is only one log file that grows without limits.

2. Authorization Server

Authorization server
Windows %PD_HOME%\etc\pdacld_routing
Linux and UNIX /opt/PolicyDirector/etc/pdacld_routing


Make the following changes in pdacld_routing

FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdacld_utf8.log:644:ivmgr:ivmgr


3. Proxy Policy server

Policy proxy server
Windows %PD_HOME%\etc\pdmgrproxyd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrproxyd_routing

Make the following changes in pdmgrproxyd_routing

FATAL:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
ERROR:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
WARNING:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr
NOTICE:STDOUT:-;UTF8FILE.10.100000:/var/PolicyDirector/log/msg__pdmgrproxyd_utf8.log:644:ivmgr:ivmgr


4. Webseal

A. Instructions for enabling rollover for WebSEAL agent.log, referer.log and request.log on a WebSEAL server are as follows:

i) In the [logging] stanza of each webseald.conf there is a max-size parameter (whose default is 2000000) that causes rollover to happen when file size reaches this limit.
- if set to 0, rollover is disabled.
- if set to a negative value, rollover happens daily.

ii) HTTP logging using event auditing can also be configured in the [aznapi-configuration] stanza of the WebSEAL configuration file.

logcfg = category:{stdout|stderr|file|pipe|remote} [[param[=value]] [,param[=value]]...]

eg.
logcfg = http:file path=/var/pdweb/log/http.log,flush_interval=20, rollover_size=2000000


B. The webseald msg log is not controlled from within the webseal conf file, but instead, via the routing file.

--------------------------------------------

The contents of the msg__webseald.log file come from webseal's STDERR, as controlled in the /opt/pdweb/etc/routing file
 
FATAL:STDERR:-
ERROR:STDERR:-
WARNING:STDERR:-

The routing file can be modified to redirect these messages to a file, and the log file management can be configured at the same time. For example...

FATAL:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log
ERROR:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log
WARNING:UTF8FILE.10.10000:/var/pdweb/log/msg__webseald.log

If you have multiple webseal instances on the same system, the default is that they will all use the same routing file. Because it's not desirable to have logging from more than one webseal in the same file, it is necessary to get each instance to use a separate routing file (each configured with a separate log file).

The environment variable PD_SVC_ROUTING_FILE can be set to point to a specific routing file which webseal will use when starting up. This allows you to have a different routing file for each instance, which allows you to configure a different log file for each instance.

Then you could write a script which will set the PD_SVC_ROUTING_FILE to point to the appropriate routing file before starting the instance, such as...

PD_SVC_ROUTING_FILE=/opt/pdweb/etc/routing.instance1
export PD_SVC_ROUTING_FILE
/opt/pdweb/bin/pdweb_start start instance1


NOTE: The customer needs to plan the number of files, that can be safely created in their environment, without being overwriting. The logs should then be archived on a regular basis.