Parameter settings
8.5.1. Logging parameters

The preferred way of changing logging settings is changing 8.1. application parameters by editing the properties file instances/<instance-name>/instance.properties or using the corresponding environment variables. The logging parameters all start with "iam.log".

To get a list of all available parameters, you may run the following command:

copy
iam default-parameters

Application logs

Property
Environment Variable
Description
iam.log.level
IAM_LOG_LEVEL
Log level used for enabled application modules.
Possible values: DEBUG, INFO, WARN, ERROR
iam.log.structured-stdout.enabled
iam.log.structured-file.enabled
iam.log.main.enabled

 
IAM_LOG_STRUCTURED_STDOUT_ENABLED
IAM_LOG_STRUCTURED_FILE_ENABLED
IAM_LOG_MAIN_ENABLED
Set to "true"  or "false"  to enable or disable log outputs/appenders.
The default values for these are "false", but instances created with IAM 7.1 or later have the following presets in "instance.properties":
  • with Docker: "iam.log.structured-stdout.enabled=true"
  • without Docker: "iam.log.structured-file.enabled=true"
(To restore behavior to pre 7.1 defaults, set "iam.log.main.enabled=true". Previously created instances are unaffected due to configured appenders in the log4j config files.)
iam.log.structured-stdout.*
iam.log.structured-file.*
iam.log.main.*
IAM_LOG_STRUCTURED_STDOUT_*
IAM_LOG_STRUCTURED_FILE_*
IAM_LOG_MAIN_*
Configuration parameters for corresponding log outputs/appenders.
iam.log.elasticsearch.url
IAM_LOG_ELASTICSEARCH_URL
Send structured log records from the local log file in "iam.structured-file.dir" to elasticsearch. I.e. for reporting.

Web server and access logs

Similar parameters exist to configure web server and access logs. Look for parameters beginning with "iam.web-server.log" and "iam.web-server.access-log" respectively.

The extended Log4j 2 configuration options described on the bottom of this page are not available for web server and access logs.

copy
iam default-parameters | grep -C 2 'iam.web-server.log'
iam default-parameters | grep -C 2 'iam.web-server.access-log'

Audit log signing

By default, the audit logger uses the "IAM-AUDIT" appender to write log messages into the "medusa-audit.log" file, in addition to logging into the usual log files. See 7.3. Airlock IAM log outputs for a list of all log files.

Audit log messages can be digitally signed to ensure authenticity and integrity. To enable signing set the "iam.audit-log.signing.enabled" 8.1. parameter to "true".

copy
iam default-parameters | grep -C 2 'iam.audit-log.signing.enabled'

Enabling audit log signing can significantly reduce the parallel throughput of Airlock IAM operations, which can negatively impact performance. It is therefore recommended to run load tests before deploying IAM instances with audit log signing enabled.

Further information and links