Logging in Safewhere Identify

Introduction

Safewhere Identify supports extensive logging for monitoring, reporting and debugging needs. You can find all settings related to logging on the Logging page:

Logging menu

Types of logs

Name Abbreviation Description
System log SYS Contains all warnings, errors and debug logs. As you can see in examples below, all the new log types have richer information than the legacy audit log.
Audit log N/A Audit log is stored in the IdentifyAudit SQL database. Identify has supported this log type for many versions. This log type includes:
- All changes made to Identify’s data models, e.g. User, Connection.
- Content of SAML 2.0 and WSFed messages (aka user requests).
- Token issuances.
Security log SEC Security log contains data about:- SAML 2.0 messages.
- Validation results for certificates which are used by those messages.
- We will support security log for other plugins in 5.1.A plus point of security log is that SAML 2.0 messages are logged in plain text even if original messages are encrypted.
Billing log BILL Collects information relevant to settle billing requirements such as where a request comes from, where it is sent to, its size, and time used to process it.
Revision log REV Collects information about how the system is used
- When REST API is called.
- Create/Update/Delete resources via Admin UI
- User requests

 

Logging settings in Safewhere Identify

You can find all the settings related to logging on the Logging page.

Log targets

Log targets specify where log data is written to. Supported options are Text file, Windows event log, Serilog sinks (either to the Audit database by default, which can be SQL database, MongoDB, or CosmosDB, or a custom sink), and Application Insights.

The default folder for logging when Text file is used is C:\Program Files\Safewhere\Identify\Tenants\your_tenant\Logs. You can change the log folder by editing it in the web.config files.

Log retention

When you choose to store logs in SQL database, the log retention settings specify how long you want to keep logs and at what time of a day that a background job can run to clean up old data. When you choose to store logs in Application Insights or MongoDB/CosmosDB, those storage technologies are responsible for handling log retention.

Log retention

Log levels

  • Log Level - Runtime: specify the level of system log for Identify Runtime. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.
  • Log Level - Admin: specify the level of system log for Identify Admin. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.

Enable logging features

The Logging features section allows you to control what log types that Identify needs to log:

  • Audit: control whether Identify should do legacy audit log. Recommended setting for production: checked, when your installation requires that audit data must be added to the SQL database.
  • Security: control whether Identify should do security log. Recommended setting for production: checked.
  • Billing: control whether Identify should do billing log. Recommended setting for production: unchecked. Billing log is mostly useful for performance monitoring.
  • Revision: control whether Identify should do revision log. Recommended setting for production: checked.
  • Analysis: control whether Identify should do analysis log. Recommended setting for production: unchecked.

Logging features

Log event filtering

Even when you enable all log types, you may not be interested in all log events. For example, you may want to log content of SAML assertions returned from an identity providers but you do not need to log content of AuthnRequest. In that case, you can use the Log event filtering feature to control what events to log:

log event filtering

User requests

You can select where to log User requests using the following options:

  • Log user requests to database store: check to enable user requests logs written to database. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
  • Log user requests to Windows Event log: check to enable user requests logs written to Windows Security event. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
  • Log user requests to the "Log target" as specified in the setting below: check to enable user requests logs written to store which is specified by the Log Target setting below. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.

Service interfaces

The following settings control how logging and error response work for Identify's service interfaces:

  • Enable WCF tracing log - Runtime: check to enable WCF logging for Identify Runtime activities. Recommended setting for production: unchecked
  • Enable WCF tracing log - Admin: check to enable WCF logging for Identify Admin activities. Recommended setting for production: unchecked
  • Enable REST APIs verbose error to client side: check to enable including verbose error in message sent back to REST client in case error occurs. Recommended setting for production: unchecked
  • *Enable IdentifySTS verbose error to client side**: returns verbose error messages for unhandled errors, mostly errors happening when Identify is verifying access tokens. Recommended setting for production: unchecked

Log examples

Each log entry is in json format.

System log

Name Description
Type Log type, value must be SYS
RequestId Unique ID dynamically generated for every event
BuildNumber Build number of the running Identify instance
System Value must be RUNTIME, ADMIN, or SERVICE
EventId Every log event has a unique event id.
Timestamp Time event occurs
IPAddress IP of the machine initiates the request
MachineName Name of the machine initiates the request
UserId Unique ID of the user that produced the request
LogLevel Severity level, eligible values are DEBUG, INFO, WARNING, ERROR
LogMessage More detail information about the event

Notice that, for every incoming web request, Identify logs an event with ID 8010 that contains request's parameters.

Name Description
HttpRequestParameters The HTTP request parameters, consist of QueryString, Path, Method, and Forms parameters

Security log for SAML2

Name Description
Type Log type, value must be SEC
Component Must be “Passive” for SAML2
Action Saml2 plugin actions
Source The participant that sends a request to Identify
Destination The Identify endpoint that receives a request
Other attributes Similar to those of the SYS log

Billing log (BIL)

Name Description
Type Log type, value must be BIL
Status Status of the request, ex: 200 OK
ResponseTime Time taken from request was received to response was sent, measured in ms
ResponseSize Size of the response in bytes
RequestSize Size of the request in bytes
Operation Name of the method or operation that was called
Other attributes Similar to those of the SYS log

Revision log (REV)

Name Description
Type Log type, value must be REV
RevisionData Includes claim issuances, changes made to Identify data entities
Other attributes Similar to those of the SYS log

 

Appendix A: List of Event IDs for System log (SYS)

ID Description
97 Web service communication error
98 Authentication connection not found in session error
99 Common logout error
100 Common runtime error
101 Connection resolution error
102 License error
103 Malformed request error
104 Path resolution error
105 Web service error
106 Audit user request error
107 Sending email error
108 Security error
110 Not supported exception
111 Configuration error
120 Text resource error
130 Database error
140 External claim transformation error
141 SQL claim transformation error
142 Regular expression condition parsing error
143 Invalid operation claim transformation error
145 Scripting claim transformation compilation error
146 Excluded pass through claim transformation error
147 Common claim transformation runtime log
1440 User account update claim transformation - Invalid claim value added error
1441 User account update claim transformation - Invalid bearing claim value added error
1442 User account update claim transformation - Invalid email claim value added error
1443 User account update claim transformation - Invalid update option error
150 Home Realm Discovery rules - Whr parameter error
151 Home Realm Discovery rules -Common domain cookie error
152 Home Realm Discovery rules -Common error
153 Home Realm Discovery rules - IP based error
154 Home Realm Discovery rules - Read cookie error
160 Authentication Session expired
300 Certificate error
301 Certificate revocation check error
999 Supplemental Data
3011 Saml2 authentication request validation error
3012 Saml2 authentication response validation error
3013 Saml2 faulty response sent
3014 Saml2 sign on error
3015 Saml2 Http message error
3016 Saml2 Relay State missing
3017 Saml2 artifact not exist or expired
3040 Saml2 unsuccessful logout response received error
3050 Saml2 service invalid protocol connection error
3051 Saml2 service invalid Uid attribute error
3052 Saml2 service invalid configuration error
3053 Saml2 service invalid request error
3054 Saml2 service data response error
3112 WS Federation security token validation error
3114 WS Federation faulty state
3115 WS Federation Protocol error
3116 WS Federation Wctx missing
3310 NemId - Common log on error
3312 NemId - Signature error
3314 NemId - Validation error
3712 Facebook - Response error
3716 Facebook - State code missing
3812 Twitter - Response error
3816 Twitter - State code missing
3912 Google - Response error
3916 Google - State code missing
4011 Device Based - Connection not found error
4112 LinkedIn - Response error
4116 LinkedIn - State code missing
4212 OpenId - Response error
4216 OpenId - State code missing
4312 LiveId - Response error
4316 LiveId - State code missing
4410 OTP - Common error
4511 UserName & Password - Update password error
4512 UserName & Password - Authentication session exist error
4712 Ldap Authentication - Session exist error
4717 Ldap reset password failed
4810 Generic Provider - CommonError
4811 Generic Provider - Could not load external provider error
4812 Generic Provider - Unhandled exception from external provider error
4813 Generic Provider - Name claim is empty or can not parse
4910 OAuth2 - Invalid authorization request
4911 OAuth2 - Invalid access token request
4912 OAuth2 - Invalid user information request
4913 OAuth2 - Invalid logout request
5001 STS - Configuration loading error
5003 STS - Invalid wstrust protocol connection found error
5004 STS - Client certificate validation failed error
5005 STS - Username credential validation failed error
5020 STS - Log information event
5050 STS - Unknown error
5100 REST - Service common error
5102 REST - Invalid request
5120 Spml common error
5200 Yubico Authentication - Common error
5201 Yubico Authentication - Response error
6000 OpenId Protocol - Invalid authentication request
6001 OpenId Protocol - Valid requested attribute not found
8000 System common error
9999 Debug event log
9000 Warning event log

Appendix B: List of Event IDs for Saml2/ WSFed/ U&P/ NemID/ OTP/ Facebook/ Google/ Twitter/ LinkedIn/ Device-Base/ LiveId/ Ldap/ Yubico/ Generic Provider/ STS plugins (SEC)

ID Description
SAML 2.0 plugin
5501 Artifact Message
5502 Artifact Resolve Message
5505 Artifact Response Message
5508 Authentication Request Message
5510 Logout Request Message
5511 Plain Text Assertion
5511 Logout Response Message
5516 Response Message
5521 Passive Response Sent To Service Provider
5522 Certificate Validation Succeeded
5523 Certificate Validation Failed
5530 Signature Validation Succeeded
5531 Signature Validation Failed
5532 Resolve Certificate Succeeded
5533 Resolve Certificate Failed
5540 Error Empty Response
WSFed plugin
3112 WSFederation Security Token Validation Error
3117 Sign In Request Message
3118 Sign In Response Message
3119 Sign Out Clean up Request Message
3120 Sign Out Request Message
Username & Password plugin
4513 Username Password Authentication Success
4514 Username Password Authentication Failed
NemID plugin
3315 NemId Common Log On Error
3316 NemId Authentication Succeed
3317 NemId Signature Error
3318 NemId Validation Error
OTP plugin
4412 Otp Code Generated
4413 Otp Code Authentication Success
4414 Otp Code Authentication Failed
OAuth 2.0 plugin
4910 OAuth2 Invalid Authorization Request
4911 OAuth2 Invalid Access Token Request
4912 OpenId Connect Invalid User Info Request
4913 OAuth2 Invalid Logout Request
4914 OAuth2 Authorization Request
4915 OAuth2 Authorization Response
4916 OAuth2 Token Request
4917 OAuth2 Token Response
4918 OpenId Connect Token Request
4919 OpenId Connect Token Response
4920 OpenId Connect User Info Request
4921 OpenId Connect User Info Response
4922 OAuth2 Invalid Device Authorization Request
4923 OAuth2 Device Authorization Request
4924 OAuth2 Device Authorization Response
4925 OAuth2 Valid Logout Request
OAuth Provider (Facebook, Google, Twitter, LinkedIn, LiveId and Generic OAuth Provider plugins)
4111 OAuth2 Response Error
4113 OAuth2 Response Message
4114 OAuth2 Request Message
4115 OAuth2 Access Token Request Message
4118 OAuth2 State Code Missing
4117 OAuth2 Access Token Response Message
Device-Based plugin
4013 User Device Cookie Validation Succeeded
4014 User Device Cookie Validation Failed
Ldap plugin
4713 Ldap Authentication Succeeded
4714 Ldap Authentication Failed
4716 Ldap Reset Password Succeeded
4718 Ldap Reset Password Failed
Yubico plugin
5205 Yubico Response Succeeded
5206 Yubico Response Failed
5203 Yubico Request Message
5204 Yubico Response Message
Generic Provider plugin
4814 Generic Provider Authentication Succeeded
4815 Generic Provider Authentication Failed
STS
5600 Client certificate validation is successful on STS
5601 Client certificate validation is failed,e.g expired client certificate on STS
5602 The soap request message is signed correctly.
5603 The soap request message is validated failed..//not logged yet due to a technical issue
5604 The received RST from User system
5605 The sent RSTR to User system
5606 The request with credential is successfully authenticated.
5607 Invalid credentials.
5608 Authentication for actas user is passed.
5609 Authentication for actas user is failed (the reason is also included)
5610 Authorization for actas user is passed.
5611 Authorization for actas user is failed (the reason is also included)

Appendix C: List of Event IDs for Billing log (BIL)

ID Description
7000 Billing log for passive flow
7001 Billing log for STS flow
7003 Billing log for provisioning data (REST API)

Appendix D: List of Event IDs for Revision log (REV)

ID Description
20028 Revision log for create/delete/update resources, user requests which are done via both UI and REST API.