Logging parameters

The preferred way of changing logging settings is changing application parameters by editing the properties file instances/<instance-name>/instance.properties or using the corresponding environment variables.

To get a list of all available parameters, you may run the following command:

copy

iam default-parameters

Application logs

Property	Environment Variable	Description
`iam.log.level`	`IAM_LOG_LEVEL`	Log level used for enabled application modules. Possible values: DEBUG, INFO, WARN, ERROR, TRACE.
`iam.log.structured-stdout.enabled` `iam.log.structured-file.enabled` `iam.log.main.enabled`	`IAM_LOG_STRUCTURED_STDOUT_ENABLED` `IAM_LOG_STRUCTURED_FILE_ENABLED` `IAM_LOG_MAIN_ENABLED`	Set to "true" or "false" to enable or disable log outputs/appenders. The default values for these are "false", but instances created with IAM 7.1 or later have the following presets in "instance.properties": with Docker: "iam.log.structured-stdout.enabled=true" without Docker: "iam.log.structured-file.enabled=true" (To restore behavior to pre 7.1 defaults, set "iam.log.main.enabled=true". Previously created instances are unaffected due to configured appenders in the log4j config files.)
`iam.log.structured-stdout.` `iam.log.structured-file.` `iam.log.main.*`	`IAM_LOG_STRUCTURED_STDOUT_` `IAM_LOG_STRUCTURED_FILE_` `IAM_LOG_MAIN_*`	Configuration parameters for corresponding log outputs/appenders.
`iam.log.elasticsearch.url`	`IAM_LOG_ELASTICSEARCH_URL`	Send structured log records from the local log file in "iam.structured-file.dir" to elasticsearch. I.e. for reporting.

Web server and access logs

Similar parameters exist to configure web server and access logs. Look for parameters beginning with "iam.web-server.log" and "iam.web-server.access-log" respectively. The extended Log4j 2 configuration options described in Log4j 2 configuration files are not available for web server and access logs.

copy

iam default-parameters | grep -C 2 'iam.web-server.log'
iam default-parameters | grep -C 2 'iam.web-server.access-log'

Audit log signing

By default, the audit logger uses the "IAM-AUDIT" appender to write log messages into the "medusa-audit.log" file, in addition to logging into the usual log files. See Generating Airlock IAM log output for a list of all log files.

Audit log messages can be digitally signed to ensure authenticity and integrity. To enable signing set the "iam.audit-log.signing.enabled" parameter to "true".

copy

iam default-parameters | grep -C 2 'iam.audit-log.signing.enabled'

Enabling audit log signing can significantly reduce the parallel throughput of Airlock IAM operations, which can negatively impact performance. It is therefore recommended to run load tests before deploying IAM instances with audit log signing enabled.

Further information and links

To learn more about the logging infrastructure of Airlock IAM see Processing Airlock IAM log output.
To learn more about the different types of log formats supported by Airlock IAM see Log message formats.
Log4j 2 configuration files