The preferred way of changing logging settings is changing 8.1. application parameters by editing the properties file instances/<instance-name>/instance.properties or using the corresponding environment variables. The logging parameters all start with "iam.log".
To get a list of all available parameters, you may run the following command:
Application logs
Property | Environment Variable | Description |
iam.log.level | IAM_LOG_LEVEL | Log level used for enabled application modules. Possible values: DEBUG, INFO, WARN, ERROR |
iam.log.structured-stdout.enabled | IAM_LOG_STRUCTURED_STDOUT_ENABLED | Set to "true" or "false" to enable or disable log outputs/appenders. The default values for these are "false", but instances created with IAM 7.1 or later have the following presets in "instance.properties":
(To restore behavior to pre 7.1 defaults, set "iam.log.main.enabled=true". Previously created instances are unaffected due to configured appenders in the log4j config files.) |
iam.log.structured-stdout.* | IAM_LOG_STRUCTURED_STDOUT_* | Configuration parameters for corresponding log outputs/appenders. |
iam.log.elasticsearch.url | IAM_LOG_ELASTICSEARCH_URL | Send structured log records from the local log file in "iam.structured-file.dir" to elasticsearch. I.e. for reporting. |
Web server and access logs
Similar parameters exist to configure web server and access logs. Look for parameters beginning with "iam.web-server.log" and "iam.web-server.access-log" respectively.
The extended Log4j 2 configuration options described on the bottom of this page are not available for web server and access logs.
iam default-parameters | grep -C 2 'iam.web-server.log' iam default-parameters | grep -C 2 'iam.web-server.access-log'
Audit log signing
By default, the audit logger uses the "IAM-AUDIT" appender to write log messages into the "medusa-audit.log" file, in addition to logging into the usual log files. See 7.3. Airlock IAM log outputs for a list of all log files.
Audit log messages can be digitally signed to ensure authenticity and integrity. To enable signing set the "iam.audit-log.signing.enabled" 8.1. parameter to "true".
Enabling audit log signing can significantly reduce the parallel throughput of Airlock IAM operations, which can negatively impact performance. It is therefore recommended to run load tests before deploying IAM instances with audit log signing enabled.
Further information and links
- ●To learn more about the logging infrastructure of Airlock IAM see 7.4. Logging and reporting pipeline (Elasticsearch, Kibana).
- ●To learn more about the different types of log formats supported by Airlock IAM see 7.4.5. Log messages.