Access Management 7.2.2

Debug logging

AM services capture a variety of information in debug logs. Unlike audit log records, debug log records are unstructured. Debug logs contain different types of information that is useful when troubleshooting AM, including stack traces.

AM uses Logback as the handler for debug logging, making it easily customizable. For example, the level of debug log record output is configurable, as is the storage location and format.

AM lets you enable the debug log level for specific classes in the AM code base. This can be useful when you must turn on debug logging in a production system where you want to avoid excessive logging, but must gather messages when you reproduce a problem.

You can choose the level of logging from the following options:

Off

No debug messages are logged.

Error

Debug messages signifying that an error has occurred are logged.

Warning

Debug messages signifying potentially harmful situations are logged.

Information

Debug messages that contain coarse-grained information about the status of AM are logged.

Debug

Debug messages that contain fine-grained information useful for troubleshooting AM are logged.

This is the default level.

Trace

All debug messages are logged.

Create loggers to specify the debug level for a class, and choose where the output is recorded. The logger used by a feature in AM is hierarchical, based on the class that is creating the debug messages. The most specific logger is used, which is the logger whose path most closely matches the class that is creating the log messages.

For example, if you knew there was an issue in an authentication module, you might enable trace-level debug logging in org.forgerock.openam.authentication.modules. If you are not sure where the problem lies, you may choose a broader option, for example org.forgerock.openam.authentication.

The least-specific, catch-all logger is named ROOT.

AM also logs information related to client interactions using the org.apache.http.wire and org.apache.http.headers appenders. The information they collect is useful, for example, when you are developing authentications scripts or when your environment requires STS transformations.

By default, these appenders are always set to the Warning level unless logging is disabled. For more information, see the org.forgerock.allow.http.client.debug advanced server property.

You can configure debug logging temporarily by using the AM admin UI, or you can create a file in the AM classpath with persistent debug configuration.

Temporarily enable debug logging with Logback.jsp

These steps let you temporarily capture debug messages, until the next time AM or the container in which it runs is restarted.

  1. In the AM admin UI, go to Logback.jsp in the root context of the AM installation, for example https://openam.example.com:8443/openam/Logback.jsp.

    No links to this page are provided in the AM admin UI.

    Only the amAdmin administrator account can access the Logback.jsp page and alter the debug settings; delegated administrators do not have access.

    The page displays all the appenders and their associated debug loggers:

    Logback.jsp
    Logback.jsp logger names

    The following lists contain the available logger names ordered by their associated appender:

    Authentication
    Authentication service, framework, Auth modules, Callbacks, JAAS, API
    com.sun.identity.authentication.spi.AMLoginModule,
    org.forgerock.openam.core.rest.authn.callbackhandlers,
    com.sun.identity.authentication.spi.AMAuthCallBackImpl,
    com.sun.identity.authentication.service.AuthContextLookup,
    com.sun.identity.authentication.util,
    org.forgerock.openam.authentication.service.LoginContextFactory,
    com.sun.identity.authentication.server.AuthContextLocal,
    com.sun.identity.authentication.service.AMAccountLockout,
    com.sun.identity.authentication.service.LoginState,
    com.sun.identity.authentication.UI.LoginViewBean,
    com.sun.identity.authentication.client,
    org.forgerock.openam.core.rest.authn.trees,
    com.sun.identity.authentication.spi.FirstTimeLogin,
    org.forgerock.openam.auth,
    org.forgerock.openam.authentication.service.SessionPropertyUpgrader,
    com.sun.identity.authentication.UI.AuthExceptionViewBean,
    com.sun.identity.authentication.spi.ReplayPasswd,
    com.sun.identity.authentication.config,
    com.sun.identity.authentication.share,
    org.forgerock.openam.authentication.SessionUpgradeVerifier,
    com.sun.identity.authentication.service.DSAMECallbackHandler,
    com.sun.identity.authentication.spi.AMModuleProperties,
    org.forgerock.openam.utils.MappingUtils,
    com.sun.identity.authentication.UI.AuthenticationServletBase,
    com.sun.identity.authentication.service.AuthenticationPrincipalDataRetrieverFactory,
    com.sun.identity.authentication.UI.LogoutViewBean,
    com.iplanet.security,
    com.sun.identity.authentication.internal,
    com.sun.identity.authentication.AuthContext,
    com.sun.identity.policy.plugins.AuthenticatedSharedAgents,
    org.forgerock.openam.ldap.LDAPAuthUtils,
    com.sun.identity.authentication.UI.AuthViewBeanBase,
    org.forgerock.openam.authentication.modules,
    com.iplanet.services.cdm,
    org.forgerock.openam.authentication.service.AuthUtilsWrapper,
    com.sun.identity.policy.plugins.AuthenticatedAgents,
    com.sun.identity.authentication.spi.JwtReplayPassword,
    com.sun.identity.policy.plugins.AllowedAgents,
    com.sun.identity.authentication.service.AuthenticationServiceAttributeCache,
    com.sun.identity.authentication.jaas,
    com.sun.identity.authentication.service.AuthD,
    org.forgerock.openam.core.rest.authn.core,
    org.forgerock.openam.scripting.api,
    com.sun.identity.common.ISAccountLockout,
    org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerFactory,
    org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerManager,
    org.forgerock.openam.webhook,
    com.iplanet.services.cdc,
    com.sun.identity.authentication.modules,
    org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1,
    com.sun.identity.authentication.service.AuthUtils,
    com.sun.identity.policy.plugins.AuthenticatedSharedAgentsCondition,
    org.forgerock.openam.authentication.service.JAASModuleDetector,
    org.forgerock.openam.core.rest.authn.RestAuthenticationHandler
    Configuration
    Service Configuration, Delegation, SMS Schema, SMS repository, plugins
    com.sun.identity.sm.ServiceSchemaManager,
    com.iplanet.services.ldap.event.EventService,
    com.sun.identity.sm.SMSSchema,
    com.sun.identity.tools,
    com.sun.identity.sm.SMSUtils,
    com.sun.identity.common.configuration.ServerConfigXMLObserver,
    com.sun.identity.sm.ServiceSchema,
    com.sun.identity.delegation,
    com.sun.identity.sm.OrganizationConfigManager,
    com.sun.identity.sm.ldap,
    com.sun.identity.sm.SMSNotificationManager,
    com.sun.identity.sm.PluginSchema,
    com.sun.identity.sm.AttributeValidator,
    com.sun.identity.sm.ServiceConfigManagerImpl,
    com.sun.identity.sm.ServiceConfigImpl,
    com.sun.identity.sm.SMSPropertiesObserver,
    com.sun.identity.sm.OrganizationConfigManagerImpl,
    com.sun.identity.sm.AuthenticationServiceNameProviderImpl,
    org.forgerock.openam.xui.XUIFilter,
    com.sun.identity.sm.ServiceSchemaImpl,
    com.sun.identity.setup,
    com.sun.identity.sm.AttributeSchemaState,
    com.sun.identity.sm.ServiceInstanceImpl,
    org.forgerock.openam.auditors,
    com.sun.identity.workflow,
    com.sun.identity.sm.ServiceConfigManager,
    org.forgerock.openam.sm.validation,
    com.sun.identity.common.configuration.SessionSiteNames,
    com.sun.identity.sm.ServiceConfig,
    com.sun.identity.sm.SMServlet,
    com.sun.identity.sm.ServiceManager,
    com.sun.identity.common.configuration.ServerPropertyValidator,
    com.sun.identity.sm.SMSEntry,
    com.sun.identity.sm.PluginConfig,
    org.forgerock.openam.utils.OpenAMSettingsImpl,
    com.sun.identity.sm.jaxrpc,
    com.sun.identity.sm.DNMapper,
    com.sun.identity.sm.SMSException,
    com.sun.identity.sm.SMSEventListenerManager,
    org.forgerock.openam.utils.MapHelper,
    com.sun.identity.sm.ServiceInstance,
    com.sun.identity.config.util,
    com.sun.identity.sm.CachedSubEntries,
    com.sun.identity.sm.PluginConfigImpl,
    com.sun.identity.authentication.service.ConfiguredSocialAuthServices,
    com.sun.identity.sm.ServiceSchemaManagerImpl,
    com.sun.identity.sm.CachedSMSEntry,
    com.sun.identity.sm.CreateServiceConfig,
    com.sun.identity.sm.AttributeSchema,
    com.sun.identity.sm.PluginSchemaImpl
    CoreSystem
    Core infrastructure services, PLL, cookies, naming, logging, upgrade, Scripting
    com.sun.identity.monitoring,
    com.sun.identity.saml2.idpdiscovery,
    com.sun.identity.security.cert.CRLValidator,
    org.forgerock.openam.xacml.v3.rest,
    org.forgerock.openam.core.rest.SelfServiceUserUiRolePredicate,
    org.forgerock.openam.core.rest.cts,
    org.forgerock.openam.sm.datalayer.impl.ldap.LdapSearchHandler,
    org.forgerock.openam.security,
    com.sun.identity.plugin.monitoring.impl,
    org.forgerock.openam.sm.datalayer.providers,
    com.zaxxer.hikari,
    org.forgerock.openam.uma.UmaUserUiRolePredicate,
    com.sun.identity.common.RequestUtils,
    org.forgerock.openam.entitlement.rest.SubjectAttributesResourceV1,
    org.forgerock.openam.services.baseurl,
    org.forgerock.openam.core.rest.IdentityRestUtils,
    org.forgerock.openam.core.rest.UserGroupsResource,
    org.forgerock.openam.oauth2.rest,
    com.sun.identity.authentication.UI.taglib,
    org.forgerock.openam.core.rest.docs,
    com.sun.identity.log,
    org.forgerock.openam.core.rest.AllAuthenticatedUsersResource,
    org.forgerock.openam.utils.WhitelistObjectInputStream,
    org.forgerock.openam.core.rest.dashboard,
    com.sun.identity.common.SystemTimerPool,
    org.forgerock.openam.core.rest.session.AnyOfAuthzModule,
    org.forgerock.openam.rest,
    org.forgerock.openam.core.rest.sms,
    com.sun.identity.common.admin,
    org.forgerock.openam.shared.resourcename,
    com.sun.identity.security.AdminTokenAction,
    org.forgerock.openam.uma.rest.UmaPolicyResourceAuthzFilter,
    org.forgerock.openam.shared.concurrency,
    org.forgerock.openam.core.rest.session.SessionResourcePrivilegeAuthzModule,
    org.forgerock.openam.entitlement.rest.ResourceTypesResource,
    org.forgerock.openam.uma.rest.UmaPolicyServiceImpl,
    org.forgerock.openam.entitlement.rest.DecisionCombinersResource,
    com.sun.identity.common.HttpURLConnectionManager,
    org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor,
    org.forgerock.openam.network.ipv4.IPv4AddressRange,
    org.forgerock.openam.audit,
    org.forgerock.audit,
    com.sun.identity.common.DNUtils,
    org.forgerock.openam.utils.IPRange,
    org.forgerock.openam.services.RestSecurity,
    org.forgerock.openam.core.rest.IdentityResourceV4,
    org.forgerock.openam.core.rest.IdentityResourceV3,
    com.sun.identity.security.SecurityDebug,
    org.forgerock.openam.backstage,
    org.forgerock.openam.core.rest.server,
    org.forgerock.openam.utils.ClientUtils,
    org.forgerock.openam.core.rest.IdentityResourceV2,
    org.forgerock.openam.entitlement.rest.ApplicationV1Filter,
    org.forgerock.openam.core.rest.IdentityResourceV1,
    org.forgerock.openam.core.rest.devices,
    org.forgerock.openam.entitlement.rest.ApplicationsResource,
    com.sun.identity.policy.util.Gateway,
    com.sun.identity.shared.jaxrpc,
    org.forgerock.openam.forgerockrest,
    com.iplanet.am.util,
    com.iplanet.services.comm,
    org.forgerock.openam.core.rest.authn.AuditHelper,
    org.forgerock.openam.sm.datalayer.impl.PooledTaskExecutor,
    org.forgerock.openam.ldap.LdifUtils,
    org.forgerock.openam.core.rest.session.action.LogoutByHandleActionHandler,
    org.forgerock.openam.sm.datalayer.impl.ldap.LdapQueryBuilder,
    com.sun.identity.shared.search,
    org.forgerock.openam.entitlement.rest.SubjectTypesResource,
    com.sun.identity.shared.encode.CookieUtils,
    com.iplanet.services.naming,
    org.forgerock.openam.cors,
    com.sun.identity.idsvcs,
    com.sun.identity.jaxrpc,
    org.forgerock.openam.http,
    org.forgerock.openam.shared.guice,
    org.forgerock.openam.utils.AMKeyProvider,
    org.forgerock.openam.utils.AuthLevelUtils,
    org.forgerock.openam.shared.security.whitelist,
    org.forgerock.openam.notifications,
    com.sun.identity.policy.util.GatewayServletUtils,
    org.forgerock.openam.core.sms,
    org.forgerock.openam.blacklist,
    com.sun.identity.common.configuration.AgentConfiguration,
    org.forgerock.openam.entitlement.rest.ApplicationTypesResource,
    org.forgerock.openam.monitoring,
    com.sun.identity.common.ResourceLookup,
    org.forgerock.openam.entitlement.rest.PolicyV1Filter,
    com.sun.identity.authentication.server.AuthXMLRequestParser,
    org.forgerock.openam.entitlement.rest.wrappers,
    com.sun.identity.security.cert.AMCertStore,
    org.forgerock.openam.sm.datalayer.impl.SimpleTaskExecutor,
    com.sun.identity.shared.locale,
    com.sun.identity.shared.whitelist,
    org.forgerock.openam.sm.datalayer.impl.ldap.CTSDJLDAPv3PersistentSearch,
    com.sun.identity.protocol,
    org.forgerock.openam.scripting.rest,
    org.forgerock.openam.entitlement.rest.ConditionTypesResource,
    org.forgerock.openam.core.rest.record,
    com.sun.identity.security.cert.AMCertPath,
    org.forgerock.openam.utils.ServiceConfigUtils,
    com.sun.identity.authentication.server.AuthXMLRequest
    EMBEDDED_DIRECTORY
    Embedded Directory Server
    org.forgerock.opendj,
    com.forgerock.opendj,
    com.forgerock.opendj.ldap.config,
    org.opends
    Federation
    Federated SSO, protocols (WS-Federation, SAML2), Metadata, Hub, Circle of Trust
    com.sun.identity.wsfederation.profile,
    com.sun.identity.saml2.servlet,
    com.sun.identity.saml2.plugins.SAML2PluginsUtils,
    com.sun.identity.plugin.datastore,
    com.sun.identity.saml2.logging,
    com.sun.identity.saml2.protocol,
    com.sun.identity.saml2.common,
    com.sun.identity.saml2.plugins.DefaultAccountMapper,
    org.forgerock.openam.federation,
    com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper,
    com.sun.identity.saml2.plugins.DefaultSPAccountMapper,
    com.sun.identity.wsfederation.plugins.whitelist,
    com.sun.identity.saml2.profile,
    com.sun.identity.wsfederation.plugins.DefaultLibrarySPAccountMapper,
    com.sun.identity.saml2.plugins.SAML2IDPProxyFRImpl,
    com.sun.identity.wsfederation.key,
    com.sun.identity.multiprotocol,
    com.sun.identity.saml2.plugins.SAML2IDPProxyImpl,
    com.sun.identity.wsfederation.servlet,
    com.sun.identity.xacml,
    com.sun.identity.plugin.monitoring.MonitorManager,
    com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper,
    com.sun.identity.wsfederation.plugins.DefaultAccountMapper,
    com.sun.identity.saml2.plugins.DefaultAttributeMapper,
    com.sun.identity.wsfederation.plugins.DefaultAttributeMapper,
    org.forgerock.openam.authentication.Saml2SessionUpgradeHandler,
    com.sun.identity.saml2.ecp,
    org.forgerock.openam.wsfederation,
    com.sun.identity.federation,
    org.forgerock.openam.saml2,
    jsp.saml2,
    com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper,
    com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper,
    com.sun.identity.plugin.log,
    com.sun.identity.saml,
    com.sun.identity.wsfederation.meta,
    com.sun.identity.wsfederation.plugins.DefaultIDPAuthenticationMethodMapper,
    com.sun.identity.saml2.plugins.DefaultFedletAdapter,
    com.sun.identity.saml2.plugins.DefaultLibraryIDPAttributeMapper,
    com.sun.identity.saml2.xmlenc,
    com.sun.identity.saml2.plugins.DefaultSPAttributeMapper,
    com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper,
    com.sun.identity.saml2.xmlsig,
    com.sun.identity.liberty.ws.security,
    com.sun.identity.plugin.session.SessionManager,
    com.sun.identity.wsfederation.plugins.DefaultIDPAccountMapper,
    com.sun.identity.plugin.session.impl.FMSessionProvider,
    com.sun.identity.saml2.key,
    com.sun.identity.wsfederation.logging,
    com.sun.identity.saml2.plugins.DefaultIDPAccountMapper,
    com.sun.identity.wsfederation.plugins.DefaultADFSPartnerAccountMapper,
    com.sun.identity.saml2.assertion,
    com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper,
    com.sun.identity.plugin.session.impl.FedletSessionProvider,
    com.sun.identity.saml2.meta,
    com.sun.identity.plugin.configuration,
    com.sun.identity.saml2.soapbinding,
    com.sun.identity.wsfederation.common,
    com.sun.identity.cot
    IdRepo
    Identity Repositories, Datastores, plugins
    com.sun.identity.common.ISResourceBundle,
    com.iplanet.am.sdk,
    org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo,
    org.forgerock.openam.shared.security.crypto,
    com.iplanet.sso.SSOTokenManager,
    com.iplanet.services.ldap.DefaultDataStoreConfigurationManager,
    com.sun.identity.idm,
    org.forgerock.openam.idrepo.ldap.helpers.DirectoryHelper,
    com.sun.identity.shared.encode.Hash,
    org.forgerock.openam.core.realms,
    org.forgerock.openam.shared.security.ThreadLocalSecureRandom,
    com.iplanet.services.ldap.event.LDAPv3PersistentSearch,
    org.forgerock.openam.idrepo.ldap.psearch,
    com.sun.identity.security.ServerInstanceAction,
    org.forgerock.openam.identity,
    org.forgerock.openam.ldap.LDAPUtils
    OAuth2Provider
    OAuth 2.0 Provider
    org.forgerock.openam.oauth2.OpenAMClientRegistrationStore,
    org.forgerock.openam.oauth2.secrets,
    org.forgerock.openidconnect,
    org.forgerock.openam.oauth2.resources.ResourceSetLabelRegistration,
    org.forgerock.openam.oauth2.OAuth2GlobalSettings,
    org.forgerock.openam.oauth2.OpenAMClientRegistration,
    org.forgerock.openam.oauth2.ciba,
    org.forgerock.openam.oauth2.requesturis,
    org.forgerock.openam.oauth2.OAuth2AuditLogger,
    org.forgerock.openam.oauth2.token,
    org.forgerock.openam.oauth2.IdentityManager,
    org.forgerock.openam.oauth2.IgAgentClientRegistration,
    org.forgerock.openam.oauth2.jwks,
    org.forgerock.oauth2,
    org.forgerock.openam.utils.RealmNormaliser,
    org.forgerock.openam.oauth2.AgentClientRegistration,
    org.forgerock.openam.oauth2.ClientCredentialsReader,
    org.forgerock.openam.oauth2.remoteconsent,
    org.forgerock.openam.oauth2.OpenAMScopeValidator,
    org.forgerock.openam.oauth2.OAuth2Monitor
    OpenDJ-SDK
    Directory Server SDK
    org.forgerock.opendj.ldif,
    org.forgerock.opendj.asn1,
    com.forgerock.opendj.util,
    com.forgerock.opendj.ldap,
    org.forgerock.opendj.ldap,
    org.forgerock.opendj.util
    OtherLogging
    Miscellaneous logs
    org.forgerock.openam.secrets.SecretIdChoiceValues,
    org.forgerock.am.iot.IntrospectTokenActionHandler,
    com.sun.identity.sm.SmsObjectResolver,
    org.forgerock.config.resolvers,
    org.forgerock.openam.services.datastore,
    org.forgerock.openam.utils.JCECipherProvider,
    org.forgerock.config.resolvers.SystemPropertyResolver,
    com.sun.identity.policy.plugins,
    org.forgerock.openam.entitlement.rest,
    org.forgerock.openam.services.datastore.DataStoreConsistencyFilter,
    org.forgerock.openam.oauth2.saml2,
    org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore,
    org.forgerock.openam.headers.DisableSameSiteCookiesFilter,
    org.forgerock.openam.oauth2.resources,
    org.forgerock.openam.uma.rest,
    org.forgerock.openam.integration.idm.IdmClientIdRepo,
    org.forgerock.am.health.HealthCheckService,
    com.sun.identity.shared,
    org.forgerock.openam.network.ipv4,
    com.forgerock,
    org.forgerock.openam.core.rest.session,
    org.forgerock.util.encode.Base64url,
    org.forgerock.openam.core.rest,
    com.iplanet.services.ldap.ServerGroup,
    org.forgerock.am.iot.ThingsResource,
    org.forgerock.openam.uma,
    org.forgerock.openam.secrets.config.GoogleKeyManagementServiceSecretStore,
    org.forgerock.api.models.Resource,
    org.forgerock.openam.oauth2.saml2.core.Saml2GrantTypeHandler,
    com.sun.identity.configuration.ConfigFedMonitoring,
    org.forgerock.openam.setup.BootstrapSubstitutionService,
    org.forgerock.util.promise,
    org.forgerock.config.resolvers.EnvironmentVariableResolver,
    org.forgerock.config.util,
    org.forgerock.openam.scripting.ScriptEngineConfigurator,
    org.forgerock.openam.oauth2.guice,
    org.forgerock.openam.scripting.persistence,
    org.forgerock.api.models.Items,
    org.forgerock.openam.homedirectory.HomeDirectoryUtils,
    org.forgerock.openam.selfservice,
    com.iplanet.services,
    org.forgerock.openam.scripting.ThreadPoolScriptEvaluator,
    jsp,
    org.forgerock.am.health.ReadinessCheckEndpoint,
    io.swagger.models.parameters.AbstractSerializableParameter,
    org.forgerock.openam.social,
    com.sun.identity.plugin.monitoring,
    org.forgerock.openam.services.MailService,
    OAuth2Factory,
    org.apache.http.headers,
    org.forgerock.json,
    org.forgerock.openam.oauth2.OAuth2UrisFactory,
    com.sun.identity.shared.encode,
    org.forgerock.http.swagger,
    com.iplanet,
    com.sun.identity.common.configuration,
    org.forgerock.json.resource.InterfaceCollectionInstance,
    org.forgerock.json.resource.http.HttpUtils,
    org.forgerock.openam.uma.UmaProviderSettingsFactory,
    org.forgerock.openam.utils,
    org.forgerock.openam.scripting,
    org.forgerock.openam.uma.rest.UmaEnabledFilter,
    org.forgerock.openam.sts.publish.rest.RestSTSSetupListener,
    org.forgerock.util.encode.Base64,
    com.zaxxer,
    org.forgerock.openam.oauth2.guice.OAuth2GuiceModule,
    org.forgerock.openam.social.idp.SocialIdpJwksSecretsProvider,
    org.forgerock.secrets,
    org.forgerock.util.promise.Promises,
    org.forgerock.secrets.SecretReference,
    org.forgerock.openam.sts.publish.common.STSInstanceConfigStoreBase,
    io.swagger.models.parameters,
    org.forgerock.openam.sts.publish.common,
    io.swagger,
    org.forgerock.openam.oauth2.pop,
    org.forgerock.openam.sm.datalayer,
    org.forgerock.openam.social.idp.choiceValues.AllowedJweAlgorithms,
    org.forgerock.http,
    oauth2,
    org.forgerock.openam.service.datastore.LdapDataStoreService,
    org.forgerock.http.filter,
    org.apache.http.wire,
    org.forgerock.http.swagger.OpenApiRequestFilter,
    org.forgerock.openam.xui,
    org.forgerock.api.models,
    com.iplanet.services.ldap.event,
    org.forgerock.json.jose.jws.SigningManager,
    com.sun.identity.shared.xml.XMLUtils,
    org.forgerock.http.oauth2,
    org.forgerock.util.promise.PromiseImpl,
    org.forgerock.openam.secrets,
    org.forgerock.openam.sts.publish.service,
    org.forgerock.openam.sm.config.ConsoleConfigHandlerImpl,
    org.forgerock.openam.integration.idm,
    com.sun.identity.authentication,
    io.swagger.models,
    org.forgerock.openam.selfservice.SelfServiceRequestHandler,
    org.forgerock.am.health.LivenessCheckEndpoint,
    com.sun.identity.sm.RootSuffixProvider,
    org.forgerock.am.iot,
    idRepoAuditor,
    org.forgerock.openam.sm.datalayer.impl,
    org.forgerock.http.util,
    com.sun.identity.plugin.session.impl,
    com.sun.identity.common,
    org.forgerock.openam.utils.PerThreadCache,
    com.sun.identity.shared.xml,
    org.forgerock.openam.service.datastore,
    com.sun.identity.shared.datastruct,
    org.forgerock.json.jose.jws,
    com.sun.identity.common.configuration.ConfigurationObserver,
    com.sun.identity.configuration,
    org.forgerock.http.filter.TransactionIdInboundFilter,
    frRest,
    org.forgerock.secrets.propertyresolver,
    org.apache,
    org.forgerock.openam.service,
    org.forgerock.openam.secrets.SecretsUtils,
    org.forgerock.openam.utils.LogUtils,
    ROOT,
    com.sun.identity.common.ShutdownManager,
    org.forgerock.am.iot.GetAccessTokenActionHandler,
    org.forgerock.openam.core.rest.authn,
    org.forgerock.openam.scripting.persistence.config.consumer.ScriptTypeAdapter,
    com.sun,
    org.forgerock.util.i18n,
    org.forgerock.openam.entitlement.service.ApplicationServiceImpl,
    com.sun.identity.policy.plugins.PrefixResourceName,
    com.sun.identity.wsfederation.plugins,
    org.forgerock.openam.secrets.config.GoogleSecretManagerSecretStoreProvider,
    org.forgerock.api.transform,
    org,
    org.forgerock.util.encode,
    com.sun.identity.sm.SmsWrapperObject,
    org.forgerock.openam.sm.config,
    org.forgerock.openam.scripting.sandbox,
    org.forgerock.openam.shared.security,
    org.forgerock.api.transform.OpenApiTransformer,
    org.forgerock.http.oauth2.ResourceServerFilter,
    org.forgerock.openam.headers,
    com.sun.identity,
    org.forgerock.openam.core.rest.authn.http,
    org.forgerock.openam.errors,
    org.forgerock.openam.idrepo.ldap.helpers,
    org.forgerock.openam.secrets.config.SecretsPlugin,
    org.forgerock.http.protocol.Form,
    org.forgerock.json.resource,
    org.forgerock.util.i18n.PreferredLocales,
    com.iplanet.services.ldap,
    com.sun.identity.sm.schema.ParsedSchema,
    org.forgerock.openam.scripting.service.ScriptChoiceValues,
    org.forgerock.openam.sts.publish.rest.RestSTSInstancePublisherImpl,
    org.forgerock.openam.errors.AgentResourceExceptionMappingHandler,
    org.forgerock.config.resolvers.FlatFileResolver,
    org.forgerock.http.routing,
    org.forgerock.openam.oauth2.pop.MutualTlsConfirmationMethod,
    org.forgerock.openam.scripting.StandardScriptEvaluator,
    org.forgerock.am.iot.IotClientRegistrationStore,
    org.forgerock.http.servlet.Servlet3Adapter,
    org.forgerock.openam.idrepo,
    org.forgerock.config,
    ldapUrl,
    org.forgerock.json.resource.InterfaceSingletonHandler,
    org.forgerock.openam.secrets.config,
    org.forgerock.openam.sm.DefaultAnnotatedServiceRegistry,
    org.forgerock.am.health,
    org.forgerock.caf.authentication.framework,
    org.forgerock.am.iot.GetUserTokenActionHandler,
    com.sun.identity.authentication.UI.LoginLogoutMapping,
    org.forgerock.openam.config,
    io,
    org.forgerock.caf.authentication,
    org.forgerock.openam.sm,
    org.forgerock.openam.sm.ServiceSchemaRegistrar,
    org.forgerock.api.models.Operation,
    org.forgerock.http.protocol,
    org.forgerock.util.DirectoryWatcher,
    com.sun.identity.security,
    org.forgerock.openam.entitlement,
    org.forgerock.openam.oauth2.ClientCertificateHeaderFormat,
    org.forgerock.am.iot.GetUserCodeActionHandler,
    org.forgerock.openam.shared,
    org.forgerock.http.servlet,
    org.forgerock.api.CrestApiProducer,
    org.forgerock.openam.sm.annotations.SchemaBuilder,
    org.forgerock.openam.scripting.sandbox.RhinoSandboxClassShutter,
    org.forgerock.util.xml,
    com.sun.identity.authentication.service.ConfiguredIdentityTypes,
    org.forgerock.openam.xacml,
    org.forgerock.openam.scripting.service.GlobalScriptChoiceValues,
    com.iplanet.services.ldap.Server,
    com.sun.identity.sm,
    org.forgerock.openam.sts.publish.rest.RestSTSPublishServiceListener,
    org.forgerock.secrets.AllowedKeyUsageConstraint,
    org.forgerock.openam.oauth2.jar,
    org.forgerock.openam.oauth2.OAuth2Utils,
    org.forgerock.openam.sm.health.FbcLivenessCheck,
    org.forgerock.json.resource.http,
    org.forgerock.openam.idrepo.ldap,
    com.sun.identity.authentication.UI,
    com.iplanet.services.util,
    com.sun.identity.liberty.ws,
    com.sun.identity.authentication.server,
    org.forgerock.openam.sts.publish.service.SoapSTSPublishServiceRequestHandler,
    org.forgerock.util,
    com.iplanet.sso,
    org.forgerock.openam.sm.health.PluginStartupCheck,
    org.forgerock.guice.core.InjectorFactory,
    org.forgerock.openam.sm.datalayer.impl.ldap,
    org.forgerock.openam.sts.publish,
    org.forgerock.macaroons,
    org.forgerock.openam.selfservice.SelfServiceTreesResource,
    com,
    org.forgerock.openam.scripting.service.StandardScriptStoreFactory,
    org.forgerock.openam.scripting.persistence.config,
    org.forgerock.openam.validation,
    com.sun.identity.authentication.service,
    com.sun.identity.sm.SMSThreadPool,
    org.forgerock.openam.validation.RequestEntitySizeVerificationFilter,
    org.forgerock.util.promise.Promises$CompletedPromise,
    com.sun.identity.authentication.service.AuthConfigMonitor,
    org.forgerock.am,
    org.forgerock.openam.scripting.service,
    org.forgerock.api,
    org.forgerock.http.header.SetCookieHeader,
    org.forgerock.macaroons.SerializationFormatV2,
    org.forgerock.am.iot.IotService,
    org.forgerock.openam.ldap,
    com.iplanet.am,
    com.sun.identity.plugin,
    org.forgerock.macaroons.SerializationFormatV1,
    com.sun.identity.plugin.session,
    org.forgerock.openam.services,
    org.forgerock.util.xml.XMLUtils,
    org.forgerock.openam.oauth2.saml2.core,
    org.forgerock.openam.social.idp,
    org.forgerock.openam.config.ServiceComponentConfigBuilder,
    org.forgerock.openam.core.rest.session.action,
    com.sun.identity.liberty,
    org.forgerock.openam.homedirectory,
    org.forgerock.openam.scripting.StandardScriptEngineManager,
    org.forgerock.openam.secrets.Secrets,
    org.forgerock.caf.authentication.framework.AuthenticationFramework,
    org.forgerock.json.jose.utils.Utils,
    org.forgerock.openam.social.idp.SocialIdentityProviders,
    org.forgerock.openam.core.rest.authn.AuthIdHelper,
    org.forgerock.openam.oauth2,
    org.forgerock.openam.core.CoreWrapper,
    org.forgerock.guice,
    org.forgerock.http.protocol.Entity,
    org.forgerock.openam.sts.publish.service.RestSTSPublishServiceRequestHandler,
    org.forgerock.openam.scripting.persistence.config.consumer,
    org.forgerock.openam.network,
    org.forgerock.http.header,
    org.forgerock.openam.entitlement.service,
    org.forgerock.openam.integration,
    com.sun.identity.common.SystemTimer,
    org.forgerock.openam.core,
    com.sun.identity.sm.SmsChangesLogger,
    org.forgerock.openam.sm.datalayer.impl.CtsConnectionCheck,
    org.forgerock.openam.sts,
    com.sun.identity.authentication.server.AuthXMLHandler,
    org.forgerock.openam.sm.annotations,
    org.forgerock.config.resolvers.PropertyResolvers,
    org.forgerock.secrets.SecretsProvider,
    com.sun.identity.policy,
    com.sun.identity.wsfederation,
    org.forgerock.json.resource.http.HttpAdapter,
    org.forgerock.http.util.Uris,
    com.sun.identity.shared.datastruct.CollectionHelper,
    org.forgerock.guice.core,
    org.forgerock,
    org.forgerock.openam.sts.publish.rest,
    org.forgerock.openam.social.idp.choiceValues,
    com.iplanet.services.util.Crypt,
    com.sun.identity.config,
    org.forgerock.json.resource.InterfaceCollectionHandler,
    org.forgerock.openam,
    jsp.realmSelection,
    org.forgerock.openam.service.datastore.SmsDataStoreLookup,
    com.sun.identity.authentication.service.AMLoginContext,
    com.sun.identity.authentication.spi,
    org.forgerock.config.util.JsonValuePropertyEvaluator,
    org.forgerock.openam.xacml.v3,
    org.forgerock.http.routing.Router,
    com.iplanet.services.ldap.LDAPUser,
    com.sun.identity.policy.util,
    org.apache.http,
    com.sun.identity.sm.schema,
    org.forgerock.http.servlet.HttpFrameworkServlet,
    org.forgerock.openam.setup,
    org.forgerock.openam.social.idp.DefaultOpenIdConnectRelyingPartySettings,
    org.forgerock.openam.headers.SecureCookieFilter,
    com.iplanet.services.util.JCEEncryption,
    org.forgerock.json.jose,
    org.forgerock.openam.oauth2.OAuth2NotificationPublisher,
    com.sun.identity.security.cert,
    org.forgerock.json.jose.utils,
    org.forgerock.caf,
    org.forgerock.openam.oauth2.jar.JarAuthorizeRequestValidator,
    org.forgerock.openam.sm.health,
    org.forgerock.config.resolvers.ChainedPropertyResolver
    Plugins
    Plugin Framework
    org.forgerock.openam.plugins
    Policy
    Policy Framework,Subject, Condition, Resource Attributes, XACML, Plugins, API
    com.sun.identity.policy.PolicyManager,
    com.sun.identity.policy.plugins.Organization,
    com.sun.identity.policy.SharedSubject,
    com.sun.identity.policy.ActionDecision,
    com.sun.identity.policy.ResourceManager,
    com.sun.identity.policy.plugins.IDRepoResponseProvider,
    com.sun.identity.policy.plugins.AuthSchemeCondition,
    com.sun.identity.policy.plugins.LEAuthLevelCondition,
    com.sun.identity.policy.PolicyCache,
    com.sun.identity.policy.PolicyDecision,
    org.forgerock.openam.entitlement.monitoring,
    com.sun.identity.policy.ProxyPolicyEvaluatorFactory,
    com.sun.identity.policy.Rule,
    com.sun.identity.policy.ResourceComparatorValidator,
    com.sun.identity.policy.plugins.IPCondition,
    com.sun.identity.policy.ProxyPolicyEvaluator,
    com.sun.identity.policy.remote,
    com.sun.identity.policy.ValidationErrorHandler,
    org.forgerock.openam.entitlement.rest.EntitlementsExceptionMappingHandler,
    org.forgerock.openam.network.ipv6,
    com.sun.identity.policy.Subjects,
    com.sun.identity.policy.plugins.PeerOrgReferral,
    com.sun.identity.policy.Policy,
    com.sun.identity.policy.ActionSchema,
    org.forgerock.openam.idrepo.ldap.helpers.ADHelper,
    org.forgerock.openam.entitlement.configuration,
    com.sun.identity.policy.plugins.SubOrgReferral,
    com.sun.identity.policy.plugins.AuthenticateToRealmCondition,
    org.forgerock.openam.entitlement.indextree,
    com.sun.identity.policy.SubjectEvaluationCache,
    org.forgerock.openam.uma.rest.UserPolicyResource,
    com.sun.identity.policy.plugins.OrgReferral,
    com.sun.identity.policy.plugins.LDAPUsers,
    com.sun.identity.policy.plugins.UserSelfCheckCondition,
    com.sun.identity.policy.ResponseProviderTypeManager,
    com.sun.identity.policy.plugins.LDAPFilterCondition,
    com.sun.identity.policy.plugins.SimpleTimeCondition,
    com.sun.identity.policy.ResponseProviders,
    org.forgerock.openam.xacml.v3.resources,
    com.sun.identity.policy.PolicyUtils,
    com.sun.identity.policy.plugins.SessionCondition,
    org.forgerock.openam.entitlement.CachingEntitlementCondition,
    com.sun.identity.policy.plugins.AMIdentitySubject,
    com.sun.identity.policy.Referrals,
    com.sun.identity.policy.ResourceIndexManager,
    com.sun.identity.policy.plugins.AuthLevelCondition,
    com.sun.identity.policy.plugins.LDAPConnectionPools,
    com.sun.identity.policy.plugins.AuthenticateToServiceCondition,
    com.sun.identity.policy.plugins.AuthRoleCondition,
    com.sun.identity.policy.plugins.AMIdentityMembershipCondition,
    com.sun.identity.entitlement,
    com.sun.identity.policy.PolicyEvaluatorFactory,
    com.sun.identity.policy.plugins.SessionPropertyCondition,
    org.forgerock.openam.entitlement.PolicyConstants,
    com.sun.identity.policy.PolicyEvaluator,
    com.sun.identity.policy.ServiceTypeManager,
    com.sun.identity.policy.ServiceType,
    com.sun.identity.policy.ResourceResult,
    com.sun.identity.policy.plugins.ResourceEnvIPCondition,
    org.forgerock.openam.entitlement.conditions,
    com.sun.identity.policy.ConditionTypeManager,
    com.sun.identity.policy.PolicyConfig,
    com.sun.identity.policy.plugins.LDAPGroups,
    org.forgerock.openam.network.ipv4.IPv4Condition,
    com.sun.identity.policy.SubjectTypeManager,
    org.forgerock.openam.entitlement.utils,
    com.sun.identity.policy.util.PolicyDecisionUtils,
    org.forgerock.openam.entitlement.PolicySetNotificationConsumer,
    com.sun.identity.policy.Conditions,
    org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV2,
    com.sun.identity.policy.ReferralTypeManager,
    org.forgerock.openam.entitlement.rest.PolicyResource,
    org.forgerock.openam.entitlement.rest.JsonPolicyParser
    Push
    Push Notification
    org.forgerock.openam.services.push
    Radius
    RADIUS server
    org.forgerock.openam.radius
    Session
    Session framework, session management, SSOToken, session failover, API
    org.forgerock.openam.core.rest.session.action.SetPropertyActionHandler,
    org.forgerock.openam.core.rest.session.action.GetPropertyActionHandler,
    org.forgerock.openam.core.rest.session.SessionResource,
    com.sun.identity.sm.ServerIDValidator,
    org.forgerock.openam.cts,
    org.forgerock.openam.core.rest.session.action.LogoutActionHandler,
    org.forgerock.openam.dpro,
    com.iplanet.sso.providers,
    org.forgerock.openam.core.rest.session.action.ValidateActionHandler,
    org.forgerock.openam.core.rest.session.action.GetSessionPropertiesActionHandler,
    org.forgerock.openam.session,
    org.forgerock.openam.sm.datalayer.impl.ldap.ExternalLdapConfig,
    org.forgerock.openam.core.rest.session.action.UpdateSessionPropertiesActionHandler,
    org.forgerock.openam.core.rest.session.SSOTokenPartialSessionFactory,
    org.forgerock.openam.sm.SMSConfigurationFactory,
    org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread,
    com.iplanet.dpro,
    com.sun.identity.plugin.session.impl.FMSessionNotification,
    org.forgerock.openam.core.rest.session.action.GetPropertyNamesActionHandler,
    org.forgerock.openam.core.rest.session.SessionResourceUtil,
    org.forgerock.openam.core.rest.session.SessionResourceV2,
    com.sun.identity.sm.SiteIDValidator,
    org.forgerock.openam.core.rest.session.action.DeletePropertyActionHandler
    UmaProvider
    UMA provider
    org.forgerock.openam.oauth2.AccessTokenProtectionFilter,
    org.forgerock.openam.uma.UmaSettingsImpl,
    org.forgerock.openam.uma.icg,
    org.forgerock.openam.uma.PendingRequestEmailTemplate,
    org.forgerock.openam.uma.rest.UmaPolicyApplicationListener,
    org.forgerock.openam.uma.rest.UmaResourceSetRegistrationHook,
    org.forgerock.openam.oauth2.resources.labels,
    org.forgerock.openam.uma.UmaProviderSettingsImpl,
    org.forgerock.openam.uma.UmaGrantTypeHandler,
    org.forgerock.openam.uma.rest.UmaLabelResource,
    org.forgerock.openam.uma.PendingRequestsService,
    org.forgerock.openam.uma.audit
    WebServices
    Web services security (WSS), STS, Identity Services
    com.sun.identity.liberty.ws.paos,
    com.sun.identity.liberty.ws.common,
    com.sun.identity.policy.plugins.WebServicesClients,
    com.sun.identity.liberty.ws.soapbinding,
    com.sun.identity.authentication.spi.WSSReplayPasswd
    amUpgrade
    Upgrade framework
    com.sun.identity.sm.ServiceSchemaModifications,
    org.forgerock.openam.upgrade,
    com.sun.identity.common.configuration.ServerConfiguration,
    com.sun.identity.config.upgrade,
    com.sun.identity.security.cert.AMCRLStore
  2. To set the logging level for all loggers that output to a particular appender:

    1. Select the name of the appender from the Appender drop-down list.

    2. Select the debug level from the Level drop-down list.

    3. Click Apply.

  3. To set the logging level for a class or package:

    1. Select the name of the individual logger from the Logger drop-down list, or select the global ROOT logger to set the level for all loggers. .List of logger names

      The current debug level is shown in the Level field.

      Any scripts that create debug messages have their own logger, which is only created after the script has executed at least once.

      The name of the logger has the format: scripts.script-type.script-UUID.

      For example, scripts.POLICY_CONDITION.9de3eb62-f131-4fac-a294-7bd170fd4acb.

    2. Select a new debug level from the Level drop-down list.

    3. Click Apply.

    When you apply any changes to the logger settings , a Logger settings updated message is shown at the top of the Logback.jsp page.

    Changes made in Logback.jsp apply immediately, but are not permanently stored. Restarting AM or the container in which it runs will reset the levels to defaults.

    You can configure the default settings that will be applied when AM starts up. See Change the startup debug settings.

  4. As soon as you have reproduced the problem you are investigating, return to the Logback.jsp page and revert the logger levels to the previous settings, to avoid filling up disk space.

Persistent debug logging with logback.xml

Debug logging can be enabled and persisted in AM by configuring a logback.xml file. This file describes the classes for which to capture debug messages, and the destination, or appender, where the output is stored.

For more information about configuring Logback, see Logback configuration in the Logback Documentation.

Configure basic debug logging

Follow these steps to configure basic persistent debug logging in AM, using a logback.xml file:

  1. Create a logback.xml file in the AM classpath, for example in /path/to/tomcat/webapps/openam/WEB-INF/classes/.

  2. In the logback.xml file, add an empty, top-level element named configuration.

    For example:

    <configuration>
    </configuration>

    This element will contain the configuration of the loggers and appenders, added in later steps.

    • To instruct AM to periodically check the logback.xml file for changes, and apply them to the running instance, add both a scan and a scanPeriod attribute to the <configuration> element. For example:

      <configuration scan="true" scanPeriod="30 seconds">
      </configuration>

      If AM is not configured to scan the logback.xml file for changes, you’ll need to restart the instance in order to pick up any changes.

      You can set the scanPeriod attribute to a longer time period, for example one hour, so that you don’t have to restart a running system when you need to alter the debugging level.

      For more information, see Automatically reloading configuration file upon modification in the Logback Documentation.

    • To troubleshoot issues when configuring debug logging using the logback.xml file, add a debug attribute, set to true, to the <configuration> element. For example:

      <configuration debug="true">
      </configuration>

      AM records debug logging status information to the default log file for the container in which it is running. For example, in Tomcat, status messages about the configuration of logback are recorded in the Catalina.out file.

      For more information, see Status data in the Logback Documentation.

  3. Define one or more appenders in the <configuration> element.

    The following example appender logs messages to a file named debug.out in the default AM debug directory:

    <configuration>
      <appender name="DEBUG.OUT" class="ch.qos.logback.core.FileAppender">
        <file>openam/var/debug/debug.out</file>
        <encoder>
          <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
        </encoder>
      </appender>
    </configuration>

    The pattern in the above example creates debug log entries that are identical to the output produced by previous versions of AM, including the transaction ID to aid with tracking events as they occur throughout the system.

    You can also define an appender that uses the JsonLayout class to include the transaction ID automatically. See Format log files for details.

  4. Define one or more loggers in the <configuration> element.

    Loggers specify which classes to capture debug messages from, including any sub-classes. They also specify the level of debug information to capture, and which appender is used to store the output.

    The following example logger applies the Debug level to the scripts.POLICY_CONDITION class and its sub-classes. The output is recorded in the file specified in the debug.out appender, created in a previous step:

    <configuration>
      <appender name="DEBUG.OUT" class="ch.qos.logback.core.FileAppender">
        <file>openam/var/debug/debug.out</file>
        <encoder>
          <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
        </encoder>
      </appender>
      <logger name="scripts.POLICY_CONDITION" level="Debug" >
        <appender-ref ref="DEBUG.OUT" />
      </logger>
    </configuration>
  5. Define a single root catch-all element in the <configuration> element, to specify the global logging level for all classes that do not match any of the loggers defined in the logback.xml file.

    <configuration>
      <appender name="DEBUG.OUT" class="ch.qos.logback.core.FileAppender">
        <file>openam/var/debug/debug.out</file>
        <encoder>
          <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
        </encoder>
      </appender>
      <logger name="scripts.POLICY_CONDITION" level="Debug" >
        <appender-ref ref="DEBUG.OUT" />
      </logger>
      <root level="Error">
        <appender-ref ref="DEBUG.OUT" />
      </root>
    </configuration>
  6. Save your changes.

    The changes are applied the next time you restart AM, or the container in which it runs.

    If you are editing an existing logback.xml that AM has already loaded, and contains the scan="true" attribute, you do not need to reboot.

    Instead, wait for the amount of time specified in the scanPeriod attribute, and the new configuration will be loaded into AM.

  7. To verify that the configuration from the logback.xml file has loaded, go to the Logback.jsp file, for example at https://openam.example.com:8443/openam/Logback.jsp, which reflects the configuration found:

    Logback.jsp reflecting the configuration in logback.xml

    Note that any changes made in the Logback.jsp are temporary, and are not persisted to the logback.xml file.

Output to stdout

Configure logback.xml to send logging to standard output. For example, for Apache Tomcat deployments, console output is typically redirected to the Tomcat logging file, catalina.out.

This example configuration captures all debug-level logging using the default <root> element, and redirects it to the STDOUT appender:

<configuration>
  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> (1)
    <encoder>
      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
    </encoder>
  </appender>
  <root level="Debug">                                                 (2)
    <appender-ref ref="STDOUT" />
  </root>
</configuration>
  1. To configure this example, create the following elements:

    1 An <appender> that uses the ch.qos.logback.core.ConsoleAppender class.
    2 A <logger>, or a <root> element as shown here, referencing the STDOUT appender.
  2. Save your changes as described in Configure basic debug logging.

  3. Check that debug logging is now output to stdout. For example:

    tail -f $TOMCAT_HOME/logs/catalina.out

Output to multiple locations

You can direct debug logging to more than one output location by defining multiple appenders and loggers. Note that you can define only one root element.

This example defines loggers for the scripts.POLICY_CONDITION and scripts.OAUTH2_VALIDATE_SCOPE classes and subclasses that output debug logging to file, using the DEBUG.OUT appender.

All debug-level logging is also directed to standard output using the STDOUT appender.

<configuration>
  <appender name="DEBUG.OUT" class="ch.qos.logback.core.FileAppender"> (1)
    <file>openam/var/debug/debug.out</file>
    <encoder>
      <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
    </encoder>
  </appender>
  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> (2)
    <encoder>
      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
    </encoder>
  </appender>
  <logger name="scripts.OAUTH2_VALIDATE_SCOPE" level="Debug" >         (3)
      <appender-ref ref="DEBUG.OUT" />
    </logger>
  <logger name="scripts.POLICY_CONDITION" level="Debug" >              (3)
    <appender-ref ref="DEBUG.OUT" />
  </logger>
  <root level="Debug">                                                 (4)
    <appender-ref ref="STDOUT" />
  </root>
</configuration>
  1. To configure this example, create the following elements:

    1 An <appender> that uses the ch.qos.logback.core.FileAppender class.
    2 An <appender> that uses the ch.qos.logback.core.ConsoleAppender class.
    3 A <logger> for each of the script types, referencing the DEBUG.OUT appender.
    4 A <logger>, or a <root> element as shown here, referencing the STDOUT appender.
  2. Save and verify your changes as described in Configure basic debug logging.

Format log files

The org.forgerock.openam.logback.JsonLayout class extends Logback JSON layout functionality by adding the transaction ID to the JSON output.

This example shows how you can include the JsonLayout class to format your log files:

<appender name="JSON" class="ch.qos.logback.core.rolling.RollingFileAppender"> (1)
  <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
    <fileNamePattern>openam/var/debug/debugLog.%d{yyyy_MM_dd}.json</fileNamePattern>
    <maxHistory>7</maxHistory>
  </rollingPolicy>
  <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">          (2)
    <layout class="org.forgerock.openam.logback.JsonLayout">                   (3)
      <jsonFormatter class="ch.qos.logback.contrib.jackson.JacksonJsonFormatter"> (4)
        <prettyPrint>true</prettyPrint>
      </jsonFormatter>
      <timestampFormat>yyyy-MM-dd' 'HH:mm:ss.SSS</timestampFormat>
      <appendLineSeparator>true</appendLineSeparator>
    </layout>
  </encoder>
</appender>
  1. To configure this example, create the following elements:

    1 An <appender> that uses the ch.qos.logback.core.rolling.RollingFileAppender class.
    2 An <encoder> that uses the ch.qos.logback.core.encoder.LayoutWrappingEncoder class.
    3 A <layout> element that uses the org.forgerock.openam.logback.JsonLayout class.
    4 A <jsonFormatter> element that uses the ch.qos.logback.contrib.jackson.JacksonJsonFormatter class.
  2. Save and verify your changes as described in Configure basic debug logging.

    The use of the JsonLayout class results in the addition of a transactionId at the top level of the log entry.

    For example:

    {
      "timestamp" : "2022-07-28 15:39:44.562",
      "level" : "DEBUG",
      "thread" : "http-nio-8080-exec-6",
      "mdc" : {
        "transactionId" : "eb0664cc-4615-461e-973a-64a1fc4f659a-34695"
      },
      "logger" : "org.forgerock.openam.rest.restAuthenticationFilter",
      "message" : "OpenAM SSO Token Session Module has successfully authenticated the client",
      "context" : "default",
      "transactionId" : "eb0664cc-4615-461e-973a-64a1fc4f659a-34695"
    }

Rotate debug logs

Logback provides built-in support for a number of log file rotation schemes, including time- and-size based rotation. If you have configured AM with a logback.xml file, you can configure log file rotation in the appenders, as follows:

  1. In the <configuration> element, create an appender that uses the ch.qos.logback.core.rolling.RollingFileAppender class, for example:

    <appender name="DAILYLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
      <encoder>
        <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
      </encoder>
    </appender>

    Within the appender, specify whether to rotate based on time, and optionally also size, as follows:

    • To rotate the log files based only on time, add a <rollingPolicy> element to the appender, which uses the ch.qos.logback.core.rolling.TimeBasedRollingPolicy class.

      Include a <fileNamePattern> element that defines when the log files should roll over, and the naming convention.

      For example, the following appender rolls the log file over at midnight each day, and includes the date in the filename:

      <appender name="DAILYLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
          <fileNamePattern>openam/var/debug/dailyLog.%d{yyyy-MM-dd}.log</fileNamePattern>
        </rollingPolicy>
        <encoder>
          <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
        </encoder>
      </appender>
    • To rotate the log files based on both time and size, add a <rollingPolicy> element to the appender, which uses the ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy class.

      Include a <fileNamePattern> element that defines when the log files should roll over, and where the counter for rolling over based on size occurs, specified by including %i. You must also include a <maxFileSize> element to define the maximum size of the log files.

      For example, the following appender rolls the log file over at midnight each day, but earlier if the file reaches 2 gigabytes in size, and includes the date in the filename:

      <appender name="DAILYLOG2GB" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
          <fileNamePattern>openam/var/debug/dailyLog2GB.%d{yyyy-MM-dd}-%i.log</fileNamePattern>
          <maxFileSize>2GB</maxFileSize>
        </rollingPolicy>
        <encoder>
          <pattern>%lo{5}: %d{ISO8601}: Thread[%t]: TransactionId[%X{transactionId}]%n%level: %m%n%ex</pattern>
        </encoder>
      </appender>
  2. Save and verify your changes as described in Configure basic debug logging.

    Debug log files will roll over each night, and also if they reach the 2GB size limit. The file names will contain the date, and a counter to signify the order in which they were written.

Change the startup debug settings

You can configure the settings that will be applied when AM starts up and there is no logback.xml file present.

The settings specified as defaults will be reflected in the Logback.jsp file, for example at https://openam.example.com:8443/openam/Logback.jsp. However, they will not override the configuration contained with a custom logback.xml file.

Set the default debug level

These steps set the default debug level used by all loggers, when AM starts up:

  1. In the AM admin UI, go to Deployment > Servers > Server Name > General > Debugging.

  2. Select an option from the Debug Level field.

    The default level for debug logging is Error. This level is appropriate for normal production operations, in which case no debug log messages are expected.

    Setting the debug log level to Warning increases the volume of messages. Setting the debug log level to Message dumps detailed trace messages.

    Unless told to do so by qualified support personnel, do not use Warning or Message levels as a default in production. Instead, set the levels on a per-class basis.

  3. Save your changes.

    Changes are applied immediately.

Set the default debug directory

These steps set the default directory used to store debug log files:

  1. In the AM admin UI, go to Deployment > Servers > Server Name > General > Debugging.

  2. Enter a directory in which to store log files in the Debug Directory field.

    The default value is %BASE_DIR%/%SERVER_URI%/debug. The %BASE_DIR% value equates to the folder containing the AM local configuration, for example /path/to/openam. The %SERVER_URI% value equates to the deployment URI used when deploying AM, for example /openam.

    Therefore, the default location for the debug logs resembles the following: /path/to/openam/var/debug/.

    Make sure that the specified folder can be written to by the account that is running AM or the container in which it runs.

  3. Save your changes.

    The changes are applied the next time you restart AM, or the container in which it runs.

Combine log messages in a single file

These steps log all debug messages to a single debug.out file:

  1. In the AM admin UI, go to Deployment > Servers > Server Name > General > Debugging.

  2. Set the Merge Debug Files property to On.

  3. Save your changes.

    Changes are applied immediately.

    All debug log messages will be written to a single debug file named debug.out. The file will be located in the directory specified in the Debug Directory property. See Set the default debug directory.