22.2.1 Understanding the Correlation Tags in the Log Files

There is no fixed field format for log file entries. However, because most requests handled by Access Manager are processed by multiple Access Manager components, there is a mechanism that facilitates the correlation of log entries for a single Access Manager request in the various component log files. A correlation tag has the following general format:

<tag name>#<tag value>:

The <tag name> is a fixed value, defined in the Format column of Table 22-2. It is always terminated by the # character. The <tag value> immediately follows the # character and is always terminated by the : character. The <tag value> is not a fixed value, but a uniquely assigned value to identify an event, a user, or a transaction. Table 22-2 lists the defined correlation tags:

Table 22-2 Correlation Tags

Type

Format

Description

Event code

AM#<Event-Code>:

This tag is included in all log entries that record an event and in all events that are presented to a user as an informational or error page.

User ID

AMAUTHID#<ID>:

An authentication identifier that Identity Server or the Embedded Service Provider (ESP) assigns to each authenticated user. This tag is included in all entries that pertain to a request made by an authenticated user.

Currently Identity Server and ESP assign different authentication IDs. When correlating the flow of events between Identity Server and the ESP for an authentication sequence, you can use the event code of the authentication events and find the artifact that the ESP and Identity Server exchange.

In the catalina.out file of Identity Server, search for AM#500105018 events. This is the event that sends the artifact to the ESP. Search for a corresponding artifact in Access Gateway log. Events AM#500105020 and AM#500105021 contain the artifact value.

Device ID

AMDEVICE#<ID>

An identifier that uniquely identifies the Access Manager device that is generating the log entry.

You can view the identifier that is assigned to each device on the General Logging page in Administration Console (click Auditing > General Logging). The ID begins with a prefix that identifies the type of device such as idp for Identity Server, ag for Access Gateway, and idp-esp for ESP of the device. The prefix is followed by a 16-digit hexadecimal number.

In log entries, the idp prefix is not recorded. For example, the General Logging page displays idp-AA257DA77ED48DB0 for the ID of Identity Server, but in the catalina.out file, the value is AMDEVICE#AA257DA77ED48DB0.

Transaction ID

AMEVENTID#<ID>:

An identifier assigned to each Access Manager or system administration transaction. Access Manager transactions are actions such as authenticating a user, processing a request for access to a resource, and federating an identity.

If a user requests access multiple resources, each request is given a separate transaction ID. When Access Gateway evaluates a policy for a protected resource page and the page contains links, the policy is evaluated for each link, and each of these evaluations generates a new transaction ID.

System administration transactions are actions such as importing a device, deleting a device, stopping or starting a device, and configuring or modifying the configuration of a device.