PingAuthorize Server Documentation Index
Configuration Reference Home

File Based Trace Log Publisher

File Based Trace Log Publishers are used for tracing the processing of HTTP requests within the PingAuthorize Server. Messages are published to the file system.

Parent Component
Relations from This Component
Properties
dsconfig Usage

Parent Component

The File Based Trace Log Publisher component inherits from the Writer Based Trace Log Publisher

Relations from This Component

The following components have a direct aggregation relation from File Based Trace Log Publishers:

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
↓ description  None
↓ enabled
↓ logging-error-behavior
Log File Management Basic Properties: Advanced Properties:
↓ log-file ↓ compression-mechanism
↓ log-file-permissions
↓ rotation-policy
↓ rotation-listener
↓ retention-policy
↓ sign-log
↓ encrypt-log
↓ encryption-settings-definition-id
↓ append
Log Messages To Include Basic Properties: Advanced Properties:
↓ debug-message-type  None
↓ http-message-type
↓ access-token-validator-message-type
↓ id-token-validator-message-type
↓ pdp-message-type
↓ policy-message-type
↓ scim-message-type
↓ open-banking-message-type
↓ gateway-message-type
↓ directory-rest-api-message-type
↓ sideband-message-type
↓ pdp-api-message-type
↓ extension-message-type
↓ include-path-pattern
↓ exclude-path-pattern
Other Configuration Basic Properties: Advanced Properties:
 None ↓ asynchronous
↓ queue-size
↓ max-string-length
↓ buffer-size
↓ time-interval

Basic Properties

description

Property Group
General Configuration
Description
A description for this Log Publisher
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Property Group
General Configuration
Description
Indicates whether the Log Publisher is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

logging-error-behavior

Property Group
General Configuration
Description
Specifies the behavior that the server should exhibit if an error occurs during logging processing.
Default Value
standard-error
Allowed Values
standard-error - Write a message to standard error in the event of a logging failure.

lockdown-mode - Place the server in lockdown mode in the event of a logging failure.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

log-file

Property Group
Log File Management
Description
The file name to use for the log files generated by the File Based Trace Log Publisher. The path to the file can be specified either as relative to the server root or as an absolute path.
Default Value
None
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
The File Based Trace Log Publisher must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

log-file-permissions

Property Group
Log File Management
Description
The UNIX permissions of the log files created by this File Based Trace Log Publisher.
Default Value
600
Allowed Values
A valid UNIX mode string. The mode string must contain three digits between zero and seven.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

rotation-policy

Property Group
Log File Management
Description
The rotation policy to use for the File Based Trace Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.
Default Value
No rotation policy is used and log rotation will not occur.
Allowed Values
The DN of any Log Rotation Policy.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

rotation-listener

Property Group
Log File Management
Description
A listener that should be notified whenever a log file is rotated out of service.
Default Value
None
Allowed Values
The DN of any Log File Rotation Listener. If this File Based Trace Log Publisher is enabled, then the associated log file rotation listener must also be enabled.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

retention-policy

Property Group
Log File Management
Description
The retention policy to use for the File Based Trace Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.
Default Value
No retention policy is used and log files are never cleaned.
Allowed Values
The DN of any Log Retention Policy.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

sign-log

Property Group
Log File Management
Description
Indicates whether the log should be cryptographically signed so that the log content cannot be altered in an undetectable manner. Log file signatures can be validated using the validate-file-signature tool provided with the server.
Note that when enabling signing for a logger that already exists and was enabled without signing, the first log file will not be completely verifiable because it will still contain unsigned content from before signing was enabled. Only log files whose entire content was written with signing enabled will be considered completely valid.
For the same reason, if a log file is still open for writing, then signature validation will not indicate that the log is completely valid because the log will not include the necessary "end signed content" indicator at the end of the file.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
The File Based Trace Log Publisher must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

encrypt-log (Read-Only)

Property Group
Log File Management
Description
Indicates whether log files should be encrypted so that their content is not available to unauthorized users. If this property is configured with a value of true, then log data will be encrypted using a key generated from an encryption settings definition. If the encryption-settings-definition-id property has a value, then the specified encryption settings definition will be used; otherwise, the server's preferred encryption settings definition will be used. For best compatibility, you should use an encryption settings definition that was created from a user-supplied passphrase, so that passphrase can be used to decrypt its content.
If this property is configured with a value of false, then log data will not be encrypted.
Encrypted log files can be decrypted on the command line with the encrypt-file tool (using the --decrypt argument). Encrypted log files can be accessed programmatically using the com.unboundid.util.PassphraseEncryptedInputStream class in the UnboundID LDAP SDK for Java.
If a log file is to be encrypted, then you will also likely want to enable compression (by giving the compression-mechanism property a value of 'gzip'). This will reduce the amount of data that needs to be encrypted, and will also dramatically reduce the size of the log files that are generated.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
The File Based Trace Log Publisher must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

encryption-settings-definition-id

Property Group
Log File Management
Description
Specifies the ID of the encryption settings definition that should be used to encrypt the data. If this is not provided, the server's preferred encryption settings definition will be used. The "encryption-settings list" command can be used to obtain a list of the encryption settings definitions available in the server.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

append

Property Group
Log File Management
Description
Specifies whether to append to existing log files.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

debug-message-type

Property Group
Log Messages To Include
Description
Specifies the debug message types which can be logged. Note that enabling these may result in sensitive information being logged.
Default Value
No debug messages are logged.
Allowed Values
http-full-request-and-response - The full HTTP request and response for an inbound request to the PingAuthorize Server.

ldap-external-server-request - The LDAP request and response for an outbound request performed through an LDAP External Server.

server-sdk-extension - The messages logged by Server SDK extensions.

store-adapter-mapping - Detailed tracing of attributes before and after they are mapped from SCIM to a store adapter and vice-versa.

store-adapter-processing - Detailed tracing of operations processed by store adapters.

access-token-validator-request-and-response - The full HTTP request and response of an outbound request initiated by an access token validator to an authorization server.

access-token-validator-processing - Detailed information about access token processing.

id-token-validator-request-and-response - The full HTTP request and response of an outbound request initiated by an ID token validator to an OpenID Connect provider.

id-token-validator-processing - Detailed information about ID token processing.

consent-service-request-and-response - The full HTTP request and response of an outbound request to a consent service external server.

gateway-request-and-response - The full HTTP request and response of an outbound request from the PingAuthorize Server to an API server.

policy-request-and-response - The full HTTP request and response of an outbound request to a policy external server.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

http-message-type

Property Group
Log Messages To Include
Description
Specifies the HTTP message types which can be logged.
Default Value
No HTTP messages are logged.
Allowed Values
request - The HTTP request summary.

response - The HTTP response summary.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

access-token-validator-message-type

Property Group
Log Messages To Include
Description
Specifies the access token validator message types that can be logged.
Default Value
No access token validator messages are logged.
Allowed Values
subject-lookup - Access token subject lookup events.

external-server-request - Summary information about an outbound HTTP request made by an access token validator.

external-server-response - Summary information about the response to an outbound HTTP request made by an access token validator.

validation - Access token validation events.

error - Potentially fatal errors in access token validator processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

id-token-validator-message-type

Property Group
Log Messages To Include
Description
Specifies the ID token validator message types that can be logged.
Default Value
No ID token validator messages are logged.
Allowed Values
external-server-request - Summary information about an outbound HTTP request made by an ID token validator.

external-server-response - Summary information about the response to an outbound HTTP request made by an ID token validator.

validation - ID token validation events.

warning - Warnings about ID token validator processing.

error - Potentially fatal errors in ID token validator processing.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

pdp-message-type

Property Group
Log Messages To Include
Description
Specifies the Policy Decision Point (PDP) message types that can be logged.
Default Value
No PDP messages are logged.
Allowed Values
started - PDP started.

stopped - PDP stopped.

info - Informational messages about embedded PDP processing.

warning - Warning messages about embedded PDP processing.

error - PDP error messages, typically concerning initialization or finalization.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

policy-message-type

Property Group
Log Messages To Include
Description
Specifies the policy message types which can be logged.
Default Value
No policy messages are logged.
Allowed Values
request - The policy decision request.

impacted-attributes - The server calculated impactedAttributes for the request.

result - The policy decision result.

advice - Post-policy decision advice processing.

advice-skipped - Advice returned from PDP but not processed.

advice-error - Advice processing error.

request-skipped - A policy request was skipped due to server configuration.

exception - Policy processing exception.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

scim-message-type

Property Group
Log Messages To Include
Description
Specifies the SCIM message types which can be logged.
Default Value
No SCIM messages are logged.
Allowed Values
request - Information about SCIM requests received from clients.

result - Information about the results of SCIM requests received from clients.

internal-request - Information about SCIM requests that initiated internally (for example, operations initiated during processing of a client request).

internal-result - Information about the results of SCIM requests that initiated internally (for example, operations initiated by plugins).

error - SCIM errors caused by exceptions.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

open-banking-message-type

Property Group
Log Messages To Include
Description
Specifies the Open Banking message types which can be logged.
Default Value
No Open Banking messages are logged.
Allowed Values
account-request-created - Account Request created.

account-request-retrieved - Account Request retrieved.

account-request-updated - Account Request updated.

account-request-deleted - Account Request deleted.

error - Open Banking error.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

gateway-message-type

Property Group
Log Messages To Include
Description
Specifies the Gateway HTTP message types which can be logged.
Default Value
No Gateway HTTP messages are logged.
Allowed Values
api-endpoint-selected - Information about the API Endpoint selected to handle a request.

request - The Gateway-to-API server HTTP request summary.

response - The API server-to-Gateway HTTP response summary.

error - Gateway error.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

directory-rest-api-message-type

Property Group
Log Messages To Include
Description
Specifies the Directory REST API message types which can be logged.
Default Value
No Directory REST API messages are logged.
Allowed Values
error - Directory REST API errors caused by exceptions.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

sideband-message-type

Property Group
Log Messages To Include
Description
Specifies the Sideband API message types which can be logged.
Default Value
No Sideband API messages are logged.
Allowed Values
request-received - The Request Gateway-to-Sideband HTTP request summary.

request-result - The Request Sideband-to-Gateway HTTP response summary.

response-received - The Response Gateway-to-Sideband HTTP request summary.

response-result - The Response Sideband-to-Gateway HTTP response summary.

api-endpoint-selected - Information about the Sideband API selecting the API Endpoint used to handle a sideband request.

error - Information about errors that occur while processing a Sideband API request.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

pdp-api-message-type

Property Group
Log Messages To Include
Description
Specifies the PDP API message types that can be logged.
Default Value
No PDP API messages are logged.
Allowed Values
error - Information about errors that occur while processing a PDP API request.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

extension-message-type

Property Group
Log Messages To Include
Description
Specifies the Server SDK extension message types that can be logged.
Default Value
No Server SDK extension messages are logged.
Allowed Values
error - An error logged by a Server SDK extension.

warning - A warning logged by a Server SDK extension.

notice - A notice message logged by a Server SDK extension.

info - An informational message logged by a Server SDK extension.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

include-path-pattern

Property Group
Log Messages To Include
Description
Specifies a set of HTTP request URL paths to determine whether log messages are included for a HTTP request. Log messages are included for a HTTP request if the request path does not match any exclude-path-pattern, and the request path does match an include-path-pattern (or no include-path-pattern is specified). Paths are matched using the following rules:
  • '?' matches one character within a path segment
  • '*' matches zero or more characters within a path segment (i.e. does not match the '/' separator)
  • '/**/' matches zero or more segments in a path (segments are separated by '/')

Some pattern examples:

  • /example/t?st - matches /example/test but also /example/tast or /example/txst
  • /example/*.png - matches all .png files directly under /example (does not match /example/path1/test.png)
  • /example/**/test.png - matches all test.png files whose path starts with /example
  • /scim/v2/Users/** - matches the path to any SCIM resource whose resource type endpoint is Users
  • /example/path1/**/*.png - matches all .png files whose path starts with /example/path1
  • /example/**/servlet/bla - matches /example/path1/servlet/bla but also /example/path1/testing/servlet/bla and /example/servlet/bla

Default Value
All request paths are included except any specified in exclude-path-pattern.
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

exclude-path-pattern

Property Group
Log Messages To Include
Description
Specifies a set of HTTP request URL paths to determine whether log messages are excluded for a HTTP request. Log messages are included for a HTTP request if the request path does not match any exclude-path-pattern, and the request path does match an include-path-pattern (or no include-path-pattern is specified). Paths are matched using the following rules:
  • '?' matches one character within a path segment
  • '*' matches zero or more characters within a path segment (i.e. does not match the '/' separator)
  • '/**/' matches zero or more segments in a path (segments are separated by '/')

Some pattern examples:

  • /example/t?st - matches /example/test but also /example/tast or /example/txst
  • /example/*.png - matches all .png files directly under /example (does not match /example/path1/test.png)
  • /example/**/test.png - matches all test.png files whose path starts with /example
  • /scim/v2/Users/** - matches the path to any SCIM resource whose resource type endpoint is Users
  • /example/path1/**/*.png - matches all .png files whose path starts with /example/path1
  • /example/**/servlet/bla - matches /example/path1/servlet/bla but also /example/path1/testing/servlet/bla and /example/servlet/bla

Default Value
No request paths are explicitly excluded.
Allowed Values
A string
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

compression-mechanism (Advanced Property, Read-Only)

Property Group
Log File Management
Description
Specifies the type of compression (if any) to use for log files that are written. Note that this setting cannot be changed once the logger has been created, because of the possibility of mixing compressed and uncompressed data in the same file. Further, because it is difficult to append to a compressed file, any existing active log file will automatically be rotated when the server is started.
If compressed logging is used, it may also be desirable to have another logger enabled that does not use compression. The rotation and retention policies for the uncompressed logger can be configured to minimize the amount of space it consumes, but having ready access to information about recent operations in uncompressed form may be convenient for debugging purposes. Alternately, you could consider having the uncompressed logger defined but not enabled so that it can be turned on as needed for debugging such problems.
Default Value
none
Allowed Values
none - No compression will be performed.

gzip - Compress file data using gzip with the default compression level. If this compression level is specified, then files will automatically be given a ".gz" extension.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

asynchronous (Advanced Property)

Property Group
Other Configuration
Description
Indicates whether the Writer Based Trace Log Publisher will publish records asynchronously.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

queue-size (Advanced Property)

Property Group
Other Configuration
Description
The maximum number of log records that can be stored in the asynchronous queue. The server will continuously flush messages from the queue to the log. That is, it does not wait for the queue to fill up before flushing to the log. Lowering this value can impact performance.
Default Value
10000
Allowed Values
An integer value. Lower limit is 1000. Upper limit is 100000 .
Multi-Valued
No
Required
No
Admin Action Required
The Writer Based Trace Log Publisher must be restarted if this property is changed and the asynchronous property is set to true.

max-string-length (Advanced Property)

Property Group
Other Configuration
Description
Specifies the maximum number of characters that may be included in any string in a log message before that string is truncated and replaced with a placeholder indicating the number of characters that were omitted. This can help prevent extremely long log messages from being written. A value of zero indicates that no limit will be imposed.
Default Value
50000
Allowed Values
An integer value. Lower limit is 0.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

buffer-size (Advanced Property)

Property Group
Other Configuration
Description
Specifies the log file buffer size.
Default Value
64kb
Allowed Values
A positive integer representing a size. Lower limit is 1.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

time-interval (Advanced Property)

Property Group
Other Configuration
Description
Specifies the interval at which to check whether the log files need to be rotated.
Default Value
5s
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Log Publishers:

dsconfig list-log-publishers
     [--property {propertyName}] ...

To view the configuration for an existing Log Publisher:

dsconfig get-log-publisher-prop
     --publisher-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Log Publisher:

dsconfig set-log-publisher-prop
     --publisher-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new File Based Trace Log Publisher:

dsconfig create-log-publisher
     --publisher-name {name}
     --type {type}
     --set enabled:{propertyValue}
     --set log-file:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Log Publisher:

dsconfig delete-log-publisher
     --publisher-name {name}