Logging parameters

The preferred way of changing logging settings is changing application parameters by editing the properties file instances/<instance-name>/instance.properties or using the corresponding environment variables.

To get a list of all available parameters, you may run the following command:

 
Terminal box
iam default-parameters

Application logs

Property

Environment Variable

Description

iam.log.level

IAM_LOG_LEVEL

Log level used for enabled application modules.

Possible values: DEBUG, INFO, WARN, ERROR, TRACE.

iam.log.structured-stdout.enabled

iam.log.structured-file.enabled

iam.log.main.enabled

IAM_LOG_STRUCTURED_STDOUT_ENABLED

IAM_LOG_STRUCTURED_FILE_ENABLED

IAM_LOG_MAIN_ENABLED

Set to "true"  or "false"  to enable or disable log outputs/appenders.

The default values for these are “false”, but instances created with IAM 7.1 or later have the following presets in “instance.properties”:

  • with Docker: “iam.log.structured-stdout.enabled=true”
  • without Docker: “iam.log.structured-file.enabled=true”

(To restore behavior to pre 7.1 defaults, set “iam.log.main.enabled=true”. Previously created instances are unaffected due to configured appenders in the log4j config files.)

iam.log.structured-stdout.*

iam.log.structured-file.*

iam.log.main.*

IAM_LOG_STRUCTURED_STDOUT_*

IAM_LOG_STRUCTURED_FILE_*

IAM_LOG_MAIN_*

Configuration parameters for corresponding log outputs/appenders.

iam.log.elasticsearch.url

IAM_LOG_ELASTICSEARCH_URL

Send structured log records from the local log file in “iam.structured-file.dir” to elasticsearch. I.e. for reporting.

Web server and access logs

Similar parameters exist to configure web server and access logs. Look for parameters beginning with “iam.web-server.log” and “iam.web-server.access-log” respectively. The extended Log4j 2 configuration options described in Log4j 2 configuration files - examples are not available for web server and access logs.

 
Terminal box
iam default-parameters | grep -C 2 'iam.web-server.log'
iam default-parameters | grep -C 2 'iam.web-server.access-log'

Audit log signing

By default, the audit logger uses the “IAM-AUDIT” appender to write log messages into the “medusa-audit.log” file, in addition to logging into the usual log files. See Generating Airlock IAM log output for a list of all log files.

Audit log messages can be digitally signed to ensure authenticity and integrity. To enable signing set the “iam.audit-log.signing.enabled” parameter to “true”.

 
Terminal box
iam default-parameters | grep -C 2 'iam.audit-log.signing.enabled'
 
Notice

Enabling audit log signing can significantly reduce the parallel throughput of Airlock IAM operations, which can negatively impact performance. It is therefore recommended to run load tests before deploying IAM instances with audit log signing enabled.