Logging in Safewhere Identify

Introduction

Safewhere Identify supports extensive logging for monitoring, reporting and debugging needs. You can find all settings related to logging on the Logging page:

Logging menu

Types of logs

Name Abbreviation Description
System log SYS Contains all warnings, errors and debug logs. As you can see in examples below, all the new log types have richer information than the legacy audit log.
Audit log N/A Audit log is stored in the IdentifyAudit SQL database. Identify has supported this log type for many versions. This log type includes:
- All changes made to Identify’s data models, e.g. User, Connection.
- Content of SAML 2.0 and WSFed messages (aka user requests).
- Token issuances.
Security log SEC Security log contains data about:
- SAML 2.0 messages.
- Validation results for certificates which are used by those messages.
- We will support security log for other plugins in 5.1. A plus point of security log is that SAML 2.0 messages are logged in plain text even if original messages are encrypted.
Billing log BILL Collects information relevant to settle billing requirements such as where a request comes from, where it is sent to, its size, and time used to process it.
Revision log REV Collects information about how the system is used:
- When REST API is called.
- Create/Update/Delete resources via Admin UI
- User requests

Logging settings in Safewhere Identify

You can find all the settings related to logging on the Logging page.

Log targets

Log targets specify where log data is written to. Supported options are Text file, Windows event log, Serilog sinks (either to the Audit database by default, which can be SQL database, MongoDB, or CosmosDB, or a custom sink), Application Insights and Message bus.

The default folder for logging when Text file is used is C:\Program Files\Safewhere\Identify\Tenants\your_tenant\Logs. You can change the log folder by editing it in the web.config files.

Log retention

When you choose to store logs in SQL database, the log retention settings specify how long you want to keep logs and at what time of a day that a background job can run to clean up old data. When you choose to store logs in Application Insights or MongoDB/CosmosDB, those storage technologies are responsible for handling log retention.

Log retention

Log levels

  • Log Level - Runtime: specify the level of system log for Identify Runtime. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.
  • Log Level - Admin: specify the level of system log for Identify Admin. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.

Enable logging features

The Logging features section allows you to control what log types that Identify needs to log:

  • Audit: control whether Identify should do legacy audit log. Recommended setting for production: checked, when your installation requires that audit data must be added to the SQL database.
  • Security: control whether Identify should do security log. Recommended setting for production: checked.
  • Billing: control whether Identify should do billing log. Recommended setting for production: unchecked. Billing log is mostly useful for performance monitoring.
  • Revision: control whether Identify should do revision log. Recommended setting for production: checked.
  • Analysis: control whether Identify should do analysis log. Recommended setting for production: unchecked.

Logging features

Log event filtering

Even when you enable all log types, you may not be interested in all log events. For example, you may want to log content of SAML assertions returned from an identity providers but you do not need to log content of AuthnRequest. In that case, you can use the Log event filtering feature to control what events to log:

log event filtering

User requests

You can select where to log User requests using the following options:

  • Log user requests to database store: check to enable user requests logs written to database. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
  • Log user requests to Windows Event log: check to enable user requests logs written to Windows Security event. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
  • Log user requests to the "Log target" as specified in the setting below: check to enable user requests logs written to store which is specified by the Log Target setting below. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.

Service interfaces

The following settings control how logging and error response work for Identify's service interfaces:

  • Enable WCF tracing log - Runtime: check to enable WCF logging for Identify Runtime activities. Recommended setting for production: unchecked
  • Enable WCF tracing log - Admin: check to enable WCF logging for Identify Admin activities. Recommended setting for production: unchecked
  • Enable REST APIs verbose error to client side: check to enable including verbose error in message sent back to REST client in case error occurs. Recommended setting for production: unchecked
  • Enable Identify*STS verbose error to client side: returns verbose error messages for unhandled errors, mostly errors happening when Identify is verifying access tokens. Recommended setting for production: unchecked

Log examples

Each log entry is in json format.

System log

{
    "Type": "SYS",
    "RequestId": "7ade7586-a490-4fba-ae92-071cad868b26",
    "BuildNumber": "1.0.0.0",
    "System": "RUNTIME",
    "Component": "Passive",
    "EventId": "9900",
    "LogId": "aedd791f-99f1-4991-93bf-c77ba96e1b88",
    "Timestamp": "10/20/2021 10:25:37 AM",
    "IPAddress": "127.0.0.1",
    "MachineName": "DEVBOX",
    "UserId": "00000000-0000-0000-0000-000000000000",
    "LogLevel": "INFO",
    "LogMessage": "The authorization response was successfully returned to https://contextid.safewhere.local/adminv2/signin-oidc using the form post response mode."
}
Name Description
Type Log type, value must be SYS
RequestId Unique ID dynamically generated for every event
BuildNumber Build number of the running Identify instance
System Value must be RUNTIME, ADMIN, or SERVICE
EventId Every log event has a unique event id.
Timestamp Time event occurs
IPAddress IP of the machine initiates the request
MachineName Name of the machine initiates the request
UserId Unique ID of the user that produced the request
LogLevel Severity level, eligible values are DEBUG, INFO, WARNING, ERROR
LogMessage More detail information about the event

Notice that, for every incoming web request, Identify logs an event with ID 8010 that contains request's parameters.

{
    "Type": "SYS",
    "RequestId": "0bda0dd6-1bd6-48e4-a2c5-e37cb9c4ffb6",
    "BuildNumber": "1.0.0.0",
    "System": "RUNTIME",
    "EventId": "8010",
    "LogId": "c1b6dfc5-1f8a-412d-b47c-f6db91bf59d6",
    "Timestamp": "10/20/2021 10:24:00 AM",
    "IPAddress": "127.0.0.1",
    "MachineName": "DEVBOX",
    "UserId": "00000000-0000-0000-0000-000000000000",
    "LogLevel": "INFO",
    "HttpRequestParameters": {
        "QueryString": {
            "ici_ci": "CfDJ8DKO30I_...",
            "authNConnectionId": "d8f18c3b-e14a-4e34-957e-ee8f3125bf13",
            "remember": "unspecified"
        },
        "Path": "/runtime/saml2auth/signon.idp",
        "Referrer": "https://something.safewhere.local/runtime/saml2/issue.idp?SAMLRequest=...",
        "Method": "GET"
    }
}
Name Description
HttpRequestParameters The HTTP request parameters, consist of QueryString, Path, Method, and Forms parameters

Security log (SEC)

SAML Request Message Received from Service Provider

{
	"Type": "SEC",
	"RequestId": "4d50e003-a55f-49e5-ae87-e68f2fab1691",
	"BuildNumber": "5.18.0.1",
	"System": "RUNTIME",
	"Component": "Passive",
	"EventId": "5518",
	"LogId": "ddd0657b-d041-4ff2-afb0-933773b54f45",
	"Timestamp": "10/9/2024 7:44:15 AM",
	"IPAddress": "127.0.0.1",
	"MachineName": "WebServerHostName",
	"UserId": "(unknown)",
	"LogLevel": "INFO",
	"Action": "",
    "Source": "https://example-saml2.safewhere.local/",
    "Destination": "https://example.safewhere.local/runtime/saml2/issue.idp",
	"LogMessage": {
        "SAMLRequest": "lZJRa4MwFIX/Ssh7NYkWM...mJZv1f1DQ==",
        "SigAlg": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
        "Signature": "OWZ19p0JA2FkUD2gy0ojs...t8tVdjFia",
        "ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    }
}
Name Description
Type Log type, value must be SEC
Component Must be Passive for SAML2
EventId Must be 5518
Source The participant that sends a request to Identify
Destination The Identify endpoint that receives a request
LogMessage Full AuthnRequest and the ProtocolBinding

SAML Request Message Sent to Upstream Identity Provider

{
	"Type": "SEC",
	"RequestId": "dd7f8e3c-9e87-43bd-979c-124211741ee1",
	"BuildNumber": "1.0.0.0",
	"System": "RUNTIME",
	"Component": "Passive",
	"EventId": "5518",
	"LogId": "aba7921d-ddce-42e1-9ae2-ecb0fdcddce8",
	"Timestamp": "10/9/2024 7:44:18 AM",
	"IPAddress": "127.0.0.1",
	"MachineName": "WebServerHostName",
	"UserId": "(unknown)",
	"LogLevel": "INFO",
	"Action": "",
	"Source": "https://example.safewhere.local/runtime/",
    "Destination": "https://adserver.adfs.safewhere.com/adfs/ls/",
    "LogMessage": "https://adserver.adfs.safewhere.com/adfs/ls/?SAMLRequest=nZJNS8Q...85PlVzQf&RelayState=25b8f9b39da4c008ac1cc38af30eafa7a33ac924bf8c8929ae7ee617d8db218b&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256&Signature=kkzJbzByi7XU38...9S2fVCfmaWyKSgg%3d%3d"
}
Name Description
Type Log type, value must be SEC
Component Must be Passive for SAML2
EventId Must be 5518
Source The current Identify EntityID
Destination The Upstream Identity Provider that receives the request from Identify
LogMessage Full request URI to the Upstream Identity Provider, including parameters such as SAMLRequest, RelayState, Signature, etc.

Billing log (BIL)

{
    "Type": "BIL",
    "RequestId": "658e347d-47a1-40b9-82b4-183487673bbd",
    "BuildNumber": "1.0.0.0",
    "System": "RUNTIME",
    "Component": "Passive",
    "EventId": "7000",
    "LogId": "e588344e-48bb-417f-a440-d34ddcb33948",
    "Timestamp": "10/20/2021 10:23:53 AM",
    "IPAddress": "127.0.0.1",
    "MachineName": "DEVBOX",
    "UserId": "00000000-0000-0000-0000-000000000000",
    "LogLevel": "INFO",
    "Status": "200 OK",
    "ResponseTime": 4234,
    "ResponseSize": 8327,
    "RequestSize": 913,
    "Operation": "/runtime/saml2/issue.idp"
}
Name Description
Type Log type, value must be BIL
Status Status of the request, ex: 200 OK
ResponseTime Time taken from request was received to response was sent, measured in ms
ResponseSize Size of the response in bytes
RequestSize Size of the request in bytes
Operation Name of the method or operation that was called
Other attributes Similar to those of the SYS log

Revision log (REV)

{
    "Type": "REV",
    "RequestId": "0a47ce44-27cc-4d65-ab2d-8eb67bbeaab2",
    "BuildNumber": "1.0.0.0",
    "System": "RUNTIME",
    "Component": "Passive",
    "EventId": "20028",
    "LogId": "dcba56f6-9b39-4e10-b861-db8f91c92131",
    "Timestamp": "11/2/2021 7:00:19 AM",
    "IPAddress": "127.0.0.1",
    "MachineName": "DEVBOX",
    "UserId": "00000000-0000-0000-0000-000000000000",
    "LogLevel": "INFO",
    "RevisionType": "IssueClaims",
    "RevisionData": {
        "LocalTimestamp": "2021-11-02T14:00:19.1141802+07:00",
        "Id": 6749,
        "EventType": "IssueClaims",
        "UtcTimestamp": "2021-11-02T07:00:19.1141802Z",
        "UserName": "Administrator",
        "ApplicationId": "https://contextid.safewhere.local/runtime/",
        "ContextId": "90c2b6f5ee0f1ba2387c3334a320871bf5a9fc1ea30e00b37749548fe4903ee7",
        "AuditClaimsIssuances": [{
                "Id": 4067,
                "AuditEventId": 6749,
                "AuthenticationConnectionId": "d8f18c3b-e14a-4e34-957e-ee8f3125bf13",
                "AuthenticationConnectionName": "ADFS SAML2",
                "ProtocolConnectionId": "880d4436-64d1-4f0f-9370-7f09be9a8686",
                "ProtocolConnectionName": "Saml2wif",
                "AuditIssuedClaims": [{
                        "Id": 4518,
                        "ClaimsIssuanceId": 4067,
                        "ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                        "Value": "Administrator",
                        "ValueType": "http://www.w3.org/2001/XMLSchema#string",
                        "Issuer": "http://adfs3.safewhere.local/adfs/services/trust",
                        "OriginalIssuer": "http://adfs3.safewhere.local/adfs/services/trust",
                        "_typeTag": "AuditIssuedClaim"
                    }, {
                        "Id": 4519,
                        "ClaimsIssuanceId": 4067,
                        "ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
                        "Value": "Administrator@vm2016.local",
                        "ValueType": "http://www.w3.org/2001/XMLSchema#string",
                        "Issuer": "http://adfs3.safewhere.local/adfs/services/trust",
                        "OriginalIssuer": "http://adfs3.safewhere.local/adfs/services/trust",
                        "_typeTag": "AuditIssuedClaim"
                    }
                ],
                "_typeTag": "AuditClaimsIssuance"
            }
        ],
        "_typeTag": "AuditEvent"
    }
}
Name Description
Type Log type, value must be REV
RevisionData Includes claim issuances, changes made to Identify data entities
Other attributes Similar to those of the SYS log

Appendix A: List of Event IDs for System log (SYS)

ID Description
97 Web Service Communication Error
98 Authentication Connection Not Found In Session Error
99 Common Logout Error
100 Common Runtime Error
101 Connection Resolution Error
102 License Error
103 Malformed Request Error
104 Path Resolution Error
105 Web Service Error
106 Audit User Request Error
107 Sending Email Error
108 Security Error
110 Not Supported Exception
111 Configuration Error
120 TextResource Error
130 Database Error
140 External Claim Transformation Error
141 Sql Claim Transformation Error
142 Regular Expression Condition Parsing Error
143 Invalid Operation Claim Transformation Error
145 Scripting Claim Transformation Compilation Error
146 Excluded Pass Through Claim Transformation Error
147 Common Claim Transformation Runtime Log
1440 User Account Update Claim Transformation - Invalid Claim Value Added Error
1441 User Account Update Claim Transformation - Invalid Bearing Claim Value Added Error
1442 User Account Update Claim Transformation - Invalid Email Claim Value Added Error
1443 User Account Update Claim Transformation - Invalid Update Option Error
150 Home Realm Discovery Rules - WHR Parameter Error
151 Home Realm Discovery Rules -Common Domain Cookie Error
152 Home Realm Discovery Rules -Common Home Reaml Discovery Error
154 Home Realm Discovery Rules - Read Cookie Error
155 Home Realm Discovery Rules - HRD Parameter Missing
156 Home Realm Discovery Rules - HRD Build Script Error
160 Authentication Session Expired
161 Authentication User Disabled
300 Certificate Error
301 Certificate Revocation Check Error
999 Supplemental Data
1000 Cannot Log Message
3000 CORS Debug
3001 CORS Header set, such as 'Access-Control-Allow-Origin' header
3002 CORS Configuration already exists in the web.config for endpoint
3003 CORS Allowed CORS Origins Domains Validation Error
3004 CORS Origin Parsing Error
3011 SAML20 Authentication Request Validation Error
3012 SAML20 Authentication Response Validation Error
3013 SAML20 Faulty Response Sent
3014 SAML20 SignOn Error
3015 SAML20 HTTP Message Error
3016 SAML20 RelayState Missing
3017 SAML20 Artifact Not Exist Or Expired
3018 SAML20 Build Customization Script Error
3019 SAML20 IsPassive But Assurance Level Not Satisfy
3040 SAML20 Unsuccessful Logout Response Received Error
3050 SAML20 Service Invalid Protocol Connection Error
3053 SAML20 Service Invalid Request Error
3054 SAML20 Service Data Response Error
3112 Ws Federation Security Token Validation Error
3114 Ws Federation Faulty State
3115 Ws Federation Protocol Error
3116 Ws Federation Wctx Missing
3310 NemID Common LogOn Error
3312 NemID Signature Error
3314 NemID Validation Error
3612 OAuth Provider Response Error
4010 Device Based Common Error
4011 Device Based Protocol Connection Not Found Error
4012 Device Based Response Error
4016 Device Based State Code Missing
4410 OTP Common error
4511 UserName & Password Update Password Error
4512 UserName & Password Authentication Session Exist Error
4712 LDAP Authentication Session Eexist Error
4717 LDAP Authentication Reset Password Failed
4810 Generic Provider Common Error
4811 Generic Provider Could Not Load External Provider Error
4812 Generic Provider Unhandled Exception From External Provider Error
4813 Generic Provider Name Claim Is Empty Or CanNot Parsed
4950 OAuth20 Request Error
5001 STS Configuration loading error
5002 STS Invalid Authentication Connection Found Error
5003 STS Invalid Protocol Connection Found Error
5004 STS Client Certificate Security Token Validation Failed Error
5005 STS UserName Password Validation Failed Error
5006 STS Claims Transformation Exception Thrown Error
5007 STS Credential Validation Exception Thrown Error
5020 STS Log Information Event
5050 STS Unknown Error
5100 REST Service Common Error
5102 REST Invalid Request
5103 REST Warning Request
5120 SPML Common Error
5200 Yubico Common Error
5201 Yubico Response Error
6000 Signing Certificate Rollover
7000 Data Management Service Invalid Policy Element
8000 SYS Common Error
8001 SYS Publish Event To ServiceBus Error
8002 SYS Hangfire Job Event
8003 SYS Logout Invalid Context
8004 SYS Login Invalid Context
8010 SYS HTTP Request Parameters
8011 SYS Data Load Error
8012 SYS Data Load Succeeded
9000 SYS Warning Event Log
9900 SYS Info Event Log
9999 SYS Debug Event Log

Appendix B: List of event IDs for SAML 2.0/WS-Federation/Username & Password/NemID/OTP/Facebook/Google/Twitter/LinkedIn/ Device-based/LiveId/LDAP/Yubico/Generic provider/STS plugins (SEC)

ID Description
SAML 2.0 plugin
5501 AuthnRequest Sent To Attribute Service
5502 Response Received From Attribute Service
5503 Attribute Query Message
5504 Attribute Query Response Message
5510 AuthnRequest Sent To Upstream Identity Provider
5511 Plain Text Assertion
5520 AuthnRequest Received From Service Provider
5516 Response Message
5518 SAML Request Message Received from Service Provider or Sent to Upstream Identity Provider
5521 Response Sent To Service Provider
5522 Certificate Validation Succeeded
5523 Certificate Validation Failed
5530 LogoutRequest Received From Service Provider
5531 LogoutResponse To Service Provider
5536 LogoutRequest Sent To Service Provider
5537 LogoutResponse Received From Service Provider
5538 LogoutResponse Received From Service Provider - Signature Validation
5539 LogoutResponse Received From Service Provider - Signature Validation Failed
5540 LogoutRequest Sent To Identity Provider
5541 LogoutResponse eceived From Identity Provider
5542 LogoutResponse eceived From Identity Provider - Signature Validation
5543 LogoutResponse eceived From Identity Provider - Signature Validation Failed
5544 LogoutResponse Sent To Identity Provider
5545 LogoutRequest Received From IdentityProvider
5546 LogoutRequest Received From IdentityProvider - Signature Validation
5547 LogoutRequest Received From IdentityProvider - Signature Validation Failed
WS-Federation plugin
3112 Security Token Validation Error
3117 Sign In Request Message
3118 Sign In Response Message
3119 Sign Out Clean up Request Message
3120 Sign Out Request Message
Username & Password plugin
4513 Username Password Authentication Success
4514 Username Password Authentication Failed
4515 Username Offboarding User
4516 User Account Is Locked Out
4517 Password Length Limit Exceeded
NemID plugin
3315 NemId Common Log On Error
3316 NemId Authentication Succeed
3317 NemId Signature Error
3318 NemId Validation Error
OTP plugin
4412 OTP Code Generated
4413 OTP Code Authentication Success
4414 OTP Code Authentication Failed
4415 OTP Code Sent
4416 OS2faktor Error
4417 WebAuthn Error
4418 WebAuth Public Key Credential Creation Options
4419 WebAuth Authenticator Attestation Response
4420 WebAuth Assertion Options
4421 WebAuth Authenticator Assertion Response
4422 WebAuth First Factor User Not Found
4423 WebAuth First Factor Registered Credential Not Found
OAuth 2.0 plugin
4910 OAuth2 Invalid Authorization Request
4914 OAuth2 Authorization Request
4915 OAuth2 Authorization Response
4916 OAuth2 Token Request
4917 OAuth2 Token Response
4911 OAuth2 Invalid Access Token Request
4934 OAuth2 Token Request Security Validation Failed
4935 OAuth2 Token Request Configuration Loading Error
4935 OAuth2 Token Request Security Validation Success
4922 OAuth2 Invalid Device Authorization Request
4923 OAuth2 Device Authorization Request
4924 OAuth2 Device Authorization Response
4918 OpenId Connect Token Request
4919 OpenId Connect Token Response
4920 OpenId Connect UserInfo Request
4912 OpenId Connect Invalid UserInfo Request
4921 OpenId Connect UserInfo Response
4913 OAuth2 Invalid Logout Request
4925 OAuth2 Valid Logout Request
4931 OAuth2 Auto Register Request
4932 OAuth2 Invalid Auto Register Request
4933 OAuth2 Auto Register Response
4940 OAuth2 Token Revocation Request
4941 OAuth2 Token Revocation Response
4942 OAuth2 Invalid Token Revocation Request
4950 OAuth2 Token Introspection Request
4951 OAuth2 Token Introspection Response
4952 OAuth2 Token Invalid Introspection Request
OAuth Provider (Facebook, Google, Twitter, LinkedIn, LiveId and Generic OAuth Provider plugins)
4110 OAuth2 Provider Common Error
4111 OAuth2 Provider Response Error
4112 OAuth2 Provider Response Message
4113 OAuth2 Provider Request Message
4114 OAuth2 Provider User Information Message
4115 OAuth2 Provider State Code Missing
4116 OAuth2 Provider Token Validation Error
4117 OAuth2 Provider Token Validation Successful
Device-based plugin
4013 User Device Cookie Validation Succeeded
4014 User Device Cookie Validation Failed
LDAP plugin
4713 LDAP Authentication Succeeded
4714 LDAP Authentication Failed
4716 LDAP Reset Password Succeeded
4718 LDAP Reset Password Failed
Yubico plugin
5203 Yubico Request Message
5204 Yubico Response Message
5205 Yubico Response Succeeded
5206 Yubico Response Failed
Generic provider plugin
4814 Generic Provider Authentication Succeeded
4815 Generic Provider Authentication Failed
STS
5600 Client certificate validation is successful
5601 Client certificate validation is failed, e.g. expired client certificate
5602 SOAP request message is signed correctly
5604 RST Received From User system
5605 RSTR Sent To User system
5606 The request with credential is successfully authenticated
5607 Invalid credentials
5608 Authentication for actas user is passed
5609 Authentication for actas user is failed (the reason is also included)
5610 Authorization for actas user is passed
5611 Authorization for actas user is failed (the reason is also included)
Provisioning (REST API)
5700 Provisioning Authentication Failed
5701 Provisioning Authentication Passed
UserSelfService
5000 User SelfService Offboarding User
Email notification
5800 Send Authenticator Changed Notification Failed
5801 Send User Password Changed Notification Failed

Appendix C: List of event IDs for Billing log (BIL)

ID Description
7000 Billing log for Passive flow
7001 Billing log for Active flow, .e.g STS
7003 Billing log for provisioning data (REST API)
7004 Billing log for Performance Counter

Appendix D: List of event IDs for Revision log (REV)

ID Description
20028 Revision Log For Data Change
20029 Revision Log For User Requests

Appendix E: List of event IDs for Analysis log (ANALYSIS)

ID Description
8100 User Data From Identity Provider
8101 User Data To Service Provider
8102 User Logout