Configuring Session-Based Logging; Creating The Administrator Class, Method, And Contract - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

14.4 Configuring Session-Based Logging

The session-based logging feature allows the administrator to enable file logging for an individual
user. In production environments, this has the following value:
Debug logging can be turned on for an individual user rather than all users. The potential size

of logged data usually prohibits an administrator from turning on debug logging for all users.
All logged messages for this user are directed to a single file. Administrators do not need to sort

through the various log files to follow the activity of the user.
 Isolating the problem and finding the cause is limited to the user who is experiencing the
problem.
 Enabling session-based logging does not require a configuration change to the Identity Server,
and thus does not require updating the Identity Server.
The following user scenario explains how this feature could be used in a production environment
1. A user notices a problem and calls the help desk.
2. The help desk operator questions the users and concludes that the problem is caused by either a
Novell Identity Server or an Embedded Service Provider.
3. The operator has been granted the rights to create logging tickets, and uses the User Portal to
create a logging ticket for the user.
4. The operator sends the logging ticket password and the URL to access the logging ticket class
to the user.
5. The user clicks the URL and enters the logging ticket password.
This marks the current session as "active for logging" and adds a small icon to the top right of
the page, which makes the session logging feature visible to the user.
6. Using the same browser window, the user duplicates the problem behavior.
7. The operator can then access the data that was logged just for this user and analyze the cause of
the behavior.
To enable session-based logging, the following tasks need to be completed:
Section 14.4.1, "Creating the Administrator Class, Method, and Contract," on page 323

Section 14.4.2, "Creating the Logging Session Class, Method, and Contract," on page 325

 Section 14.4.3, "Enabling Basic Logging," on page 326
Section 14.4.4, "Responding to an Incident," on page 326


14.4.1 Creating the Administrator Class, Method, and Contract

The IDP Administrator class, method, and contract control who has the rights to create a logging
ticket. You need to know the DNs of the operators who are going to be responding to the users who
are experiencing problems.
1 In the Administration Console, click Devices > Identity Servers > Edit > Local.
2 To create the class:
2a Click Classes.
2b Click New, then specify the following values:
Maintaining an Identity Server 323