View and Maintain Log Files

The provisioning components (Provisioning Server, Connector Servers, Provisioning Manager) can be configured to log information about all transactions that they process. You can use this information to predict and identify the sources of system or security problems. For example, if the warning messages in log files show that some accounts on an endpoint could not be explored, you can use the logged information to investigate those accounts and determine why they were not explored. Use a text editor to view and edit provisioning log files.
The provisioning components (Provisioning Server, Connector Servers, Provisioning Manager) can be configured to log information about all transactions that they process. You can use this information to predict and identify the sources of system or security problems. For example, if the warning messages in log files show that some accounts on an endpoint could not be explored, you can use the logged information to investigate those accounts and determine why they were not explored. Use a text editor to view and edit provisioning log files.
Server Event logs track messages generated by the Provisioning Server. You can log messages to several optional destinations, including CA Audit.
The provisioning components provide other types of logging to diagnose specific problems. Other than the provisioning server trace log, these logs are usually not enabled unless you need them to trace a particular event. They include provisioning server logs, slapd logs, and C++ Connector Server logs. You can also diagnose problems that occur when communicating with the provisioning server by enabling Provisioning Manager logging.
Messages from all logs are written to text files in the 
\Logs directory and are named accordingly:
  • Provisioning Server Event Log -- eta
  • Provisioning Server Trace Log -- etatrans
  • Provisioning Server IMS Notification Log -- etanotify
  • Provisioning Server SLAPD Log -- im_ps.log
  • Provisioning Manager Log -- etaclient
  • C++ Connector Server Endpoint Log -- sa
  • C++ Connector Server Trace Log -- satrans
  • C++ Connector Server SLAPD Log -- im_ccs.log
This page contains the following topics
Server Event Logging
Server Event logs record important events generated from the Provisioning Server. These events consist of all 
severity levels
 (success, information, warning, fatal, and error). The logs record every client-initiated operation and its success or failure, including generated sub-operations.
In the System Task frame of the Provisioning Manager, under Global Properties, use the Logging tab to configure Server Event logging. Server Event logs typically only need to be configured once.
In some cases, you can turn logging on or off, or you can configure the severity levels of the messages logged. Thus, this Server Event logging can serve to audit the activities that are taking place within the Provisioning Server. However, the preferred auditing of provisioning activity is to enable the IMS Notifications features. The IMS Notifications feature sends detailed audit records to the IMS server for inclusion in the full audit record of CA Identity Manager activity. The notification records sent to the IMS can also trigger events for the additional CA Identity Manager Server processing.
Endpoint Logging
In the Endpoint Task frame, you can configure endpoint-specific logging. Endpoint logs track messages that a connector generates when it processes requests for objects residing in that endpoint. Each endpoint can be configured separately so you can turn logging on or off for just the endpoints where you need to learn additional information to diagnose problems.
You can also specify the severity (success, information, warning, fatal, and error) of the messages that get logged.
 The Active Directory connector does not log messages based on severity (success, information, warning, fatal, and error) that is specified in the endpoint logging. 
To turn logging on or off and to set the logging destinations and the severity levels of the messages logged for each endpoint, use the Logging tab of the endpoint's property sheet in the Provisioning Manager. For detailed instructions, see Setting Endpoint Logging in the Provisioning Manager help.
Endpoint logging is sent to a log file for the connector server in which the connector for the endpoint runs. For C++ connectors, the default log file name is 
\Logs\saYYYYMMDD.log. The C++ connector server also adds some additional messages to this log. You control the log file name in the im_ccs.conf using the BaseLogFileName parameter. And you control which severities of these other messages are logged in the same conf file using the LogSeverities parameter.
Endpoint logging from connectors which run directly within the provisioning server (for example, the CA ACF2 connector) log to the provisioning server’s event log which has the default name of 
Diagnostic Logging
To diagnose specific problems, you can enable the provisioning server trace log, slapd logs, or C++ Connector Server logs. These are typically not enabled unless you need them to trace a specific type of event. Provisioning Manager logging also is used for diagnosing problems in the Provisioning Manager or client utilities.
Provisioning Server Trace Log
Enable this logging component to generate a special transaction log file that records the details of every transaction processed by the Provisioning Server. You can choose from several logging levels to match the level of logging detail you prefer using the domain configuration parameter Transaction Log/Level.
The Provisioning Server trace log writes messages to 
.log. To change the base part of the file name (the part before the date) or to relocate this log file to another drive, modify the domain configuration parameter Transaction Log/File name. For more information about the etaTrans
.log file, see the Provisioning Manager help.
Unlike most logging which is turned off by default, Provisioning Server logging is fully enabled as the component is installed. If you choose not to run with the maximum trace logging of the provisioning server, you need to change the domain configuration parameters that control this logging. These parameter are located in the “Transaction Log” parameter folder in the Provisioning Manager on the System task under Domain Configuration.
Provisioning Server IMS Notification Log
The Provisioning Server is typically configured to send notifications (global user and other object change records) to the CA Identity Manager Server for integration with the IMS event system and audit data base. A notification thread running within the Provisioning Server reads notification records from the local notify DB and transmits them to the IMS. This activity is captured in the IMS Notification log, whose name is 
You configure the severity of log messages included in this log on the CA Identity Manager Setup screen in the System Task of Provisioning Manager.
The format of this log is similar to the Provisioning Server and Connector Server trace logs.
SLAPD and C++ Connector Server Logs
On Windows, you can enable SLAPD logging for advanced debugging tasks such as LDAP protocol packet handling and search-filter processing. You can set the log level in the Windows registry by assigning a value to the DebugLevel key. There are two registry keys, each controlling the logging for one of the services:
    The im_ps registry key controls logging for im_ps.exe, run by the Provisioning Server service.
    The im_ccs registry key controls logging for im_ccs.exe, run by the Connector Server service.
     The preferred method for enabling SLAPD logging is by setting the loglevel parameter in im_ps.conf or im_ccs.conf, for both Windows and Solaris. Each file contains configuration instructions.
The DebugLevel registry key or loglevel configuration file parameter specifies the amount of information the server writes to its log file, which is one of the following, depending upon your type of slapd service:
: A "TLS: can't accept" error message may appear in the im_ps.log file when running in FIPS mode due to a low-level initialization problem that clears up after the first connection from a client. Since clients retry connections, you can ignore this message.
You can select a debug level to match the type of debugging you want to perform. The debug levels are listed in the following table:
Debug Information
Trace function calls
Debug packet handling
Heavy trace debugging
Connection management
Print out packets sent and received
Search filter processing
Configuration file processing
Access control list processing
Stats log connections/operations/results
Stats log entries sent
Print communication with shell back-ends
Entry parsing
All tracing
C++ Connector Server Trace Logging
C++ Connector Server Trace Logs record the activity of the C++ Connector Server, which is a module used to help manage many endpoint types. This log performs the following functions:
  • Logs trace and debug messages for the C++ Connector Server.
  • Monitors all statuses returned by its connectors. For example, if a connector returns fatal LDAP errors, the C++ Connector Server logs these errors with severity LOG_FATAL.
To set the log file name and logging levels in im_ccs.conf set the SATransLog and SATransLogLevel parameters. The supported logging levels are 0 (for off) and 1 (for on). The default is 0. These parameters must exist in the file after the database superagent line.
Provisioning Manager Logging
To diagnose problems communicating with the server, you can set logging to record events that transpire between the Provisioning Manager and the Provisioning Server to which it is connected. Use the Logging tab under File, Preferences to trace all requests sent to any server from the Provisioning Manager.
This logging is actually logging within the C/C++ client library used by the Provisioning Manager and some other clients (batch utility, password manager, csfconfig, bindeta, pingeta). Once logging is enabled and configured using Provisioning Manager, those log settings apply for these other clients as well. Each client logs its command name as it logs messages so you can identify which log messages are specific to which client.
However, for this to work the client being run must reside in the same file system folder as the Provisioning Manager’s etadmin.exe program. When this is not the case (such as when running on Solaris where there is no Provisioning Manager install, or even on Windows when you run utilities from the Provisioning Server’s installation), the client library consults registry settings specific to the Provisioning Server instead of specific to the Provisioning Manager. Set these other registry settings by running these eta-env commands using the eta-env program included in the Provisioning Server installation:
eta-env action=set name=Manager/LogMaster type=int value=1 eta-env action=set name=Manager/LogDestinations type=int value=16 eta-env action=set name=Manager/LogSevFile type=int value=31
These have the effect of configuring the C/C++ client library for the provisioning server’s installation, setting the destination to “text file” and logging all message severities.
Finally, the csfconfig command has a “debug=yes” command-line parameter you can specify to turn this logging on for one command invocation overriding any registry settings configured with Provisioning Manager or eta-env.
Use AnalyzeLog
The command line utility, AnalyzeLog, takes as input a Provisioning Server trace log (etatrans
log) and produces different views of the information depending on what options you set. You can use this information to diagnose functional or performance problems reported by users.
 For more details on this utility, see the Provisioning Manager online help.
Log Files for High Availability
To ensure proper operation of your high-availability configuration, you should monitor the following log files:
  • Alarm
  • Warn
  • Stats
  • Diag
  • Summary
  • Trace
All logs can be flushed through the DXserver console. Only the SUMMARY and TRACE logs can be closed from the console.