Creating an error-only server log
This section describes am approach for modifying your log4j2.xml
file, which can be sent to a security information and event management (SIEM) tool, such as Splunk. You can configure alerts to send notifications when such events occur, or to improve the monitoring of these events.
About this task
We recommend using the server.log
file for error-level messages. Even when levels are down to a minimum, the server log generates large amounts of information in an active production environment. As an alternative, you can set up a specific log to log only ERROR
and higher.
To change your log4j2.xml
file to enable a separate log file:
Steps
-
Create an appender.
The easiest way to create an appender is to copy an existing one as a base. In the following example, the
RollingFile
is the same one that theserver.log
file uses. Bold text identifies items that have been changed.<!-- Error Only Main Log : A size based file rolling appender --> <RollingFile name="FILEERR" fileName="${sys:pf.log.dir}/server.error.log" filePattern="${sys:pf.log.dir}/server.error.log.%i" ignoreExceptions="false"> <PatternLayout> <!-- Uncomment this if you want to use UTF-8 encoding instead of system's default encoding. <charset>UTF-8</charset> --> <pattern>%d %X{trackingid} %-5p [%c] %m%n</pattern> </PatternLayout> <Policies> <SizeBasedTriggeringPolicy size="10000 KB" /> </Policies> <DefaultRolloverStrategy max="5" /> </RollingFile>
-
At the end of your
log4j2.xml
file, set the appender that you created in the previous step forAsyncRoot
.<AsyncRoot level="INFO" includeLocation="false"> <!-- <AppenderRef ref="CONSOLE" /> --> <AppenderRef ref="FILE" /> <AppenderRef ref="FILEERR" level="ERROR" /> </AsyncRoot>
In this example, the
level
attribute indicates the level of messages that are sent to the log file. -
Remove the attribute
additivity="false"
from all other loggers that contain a reference to theFile
appender.Logger name="org.sourceid.saml20.util.SystemUtil" level="INFO" additivity="false"> <!--<AppenderRef ref="CONSOLE" /> --> <AppenderRef ref="FILE" />
Becomes:
<Logger name="org.sourceid.saml20.util.SystemUtil" level="INFO" > <!--<AppenderRef ref="CONSOLE" /> --> <AppenderRef ref="FILE" />
-
Make this change on all nodes within the cluster.
To expedite this step, we recommend creating a base file with the appropriate changes and copying it to all the nodes. -
Restart PingFederate.