IBM Support

Log management for TAM Policy Server, Proxy, Auth server and WebSEAL

Question & Answer


How to rollover logs for TAM Policy Server, Proxy Policy Server and Authorization server and WebSEAL


With default settings, the message logs for TAM components will grow continuously and become unmanageable. Opening and reviewing such files during problem determination, can be cumbersome.


Routing files allow you to control event logging as follows:

  • Whether to enable logging for specific event class
  • Where to direct output for each event class
  • How many log files to use for each event class
  • How large each file can be for each event class

Steps to enable message log rotation for the various TAM components:

1. Policy server

Windows %PD_HOME%\etc\pdmgrd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrd_routing

Make the following changes in pdmgrd_routing


Follow the FILE destination by a period and two numbers that are separated by a period (for example, FILE.10.100). The first value indicates the number of files to use. The second value indicates the number of events each file can contain. If you do not specify these values, there is only one log file that grows without limits.

2. Authorization Server

Authorization server
Windows %PD_HOME%\etc\pdacld_routing
Linux and UNIX /opt/PolicyDirector/etc/pdacld_routing

Make the following changes in pdacld_routing


3. Proxy Policy server

Policy proxy server
Windows %PD_HOME%\etc\pdmgrproxyd_routing
Linux and UNIX /opt/PolicyDirector/etc/pdmgrproxyd_routing

Make the following changes in pdmgrproxyd_routing


4. Webseal

A. Instructions for enabling rollover for WebSEAL agent.log, referer.log and request.log on a WebSEAL server are as follows:

i) In the [logging] stanza of each webseald.conf there is a max-size parameter (whose default is 2000000) that causes rollover to happen when file size reaches this limit.
- if set to 0, rollover is disabled.
- if set to a negative value, rollover happens daily.

ii) HTTP logging using event auditing can also be configured in the [aznapi-configuration] stanza of the WebSEAL configuration file.

logcfg = category:{stdout|stderr|file|pipe|remote} [[param[=value]] [,param[=value]]...]

logcfg =
http:file path=/var/pdweb/log/http.log,flush_interval=20, rollover_size=2000000

B. The webseald msg log is not controlled from within the webseal conf file, but instead, via the routing file.


The contents of the msg__webseald.log file come from webseal's STDERR, as controlled in the /opt/pdweb/etc/routing file

The routing file can be modified to redirect these messages to a file, and the log file management can be configured at the same time. For example...


If you have multiple webseal instances on the same system, the default is that they will all use the same routing file. Because it's not desirable to have logging from more than one webseal in the same file, it is necessary to get each instance to use a separate routing file (each configured with a separate log file).

The environment variable PD_SVC_ROUTING_FILE can be set to point to a specific routing file which webseal will use when starting up. This allows you to have a different routing file for each instance, which allows you to configure a different log file for each instance.

Then you could write a script which will set the PD_SVC_ROUTING_FILE to point to the appropriate routing file before starting the instance, such as...

/opt/pdweb/bin/pdweb_start start instance1

NOTE: The customer needs to plan the number of files, that can be safely created in their environment, without being overwriting. The logs should then be archived on a regular basis.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

TAM;TAMeb;Policy server;Proxy policy server;Authorisation server

Document Information

Modified date:
16 June 2018