Changing Log Levels

The Logback implementation in IG supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, ALL, and OFF. Log levels are case-insensitive in logback.xml.

Changing the Global Log Level

The global log level is set by default to INFO by the following line of the default logback.xml: 

<root level="${ROOT_LOG_LEVEL:-INFO}">

When IG is running in standalone mode, change the global log level as follows:

  • To persist the log level for all future IG instances:

    • Add an environment variable in $HOME/.openig/bin/env.sh, where $HOME/.openig is the instance directory: 

      export ROOT_LOG_LEVEL=DEBUG

    • Alternatively, add a system property in $HOME/.openig/bin/env.sh: 

      export JAVA_OPTS="-DROOT_LOG_LEVEL=DEBUG"

      If both an environment variable and system property is set, the system property takes precedence.

  • To persist the log level for IG instances launched from the same shell, add an environment variable in the shell before you start IG: 

    $ export ROOT_LOG_LEVEL=DEBUG
$ /path/to/identity-gateway/bin/start.sh $HOME/.openig

  • To persist the log level for a single IG instance: 

    $ ROOT_LOG_LEVEL=DEBUG /path/to/identity-gateway/bin/start.sh $HOME/.openig

When IG is running in web container mode, add an environment variable on the command line when you start the web container: 

$ export ROOT_LOG_LEVEL=DEBUG
C:> set ROOT_LOG_LEVEL=DEBUG

Changing the Log Level for Different Object Types

To change the log level for a single object type without changing it for the rest of the configuration, edit logback.xml to add a logger defined by the fully qualified class name or package name of the object, and set its log level.

The following line in logback.xml sets the ClientHandler log level to ERROR, but does not change the log level of other classes or packages: 

<logger name="org.forgerock.openig.handler.ClientHandler" level="ERROR"/>

To facilitate debugging, in logback.xml add loggers defined by the fully qualified package name or class name of the object. For example, add loggers for the following areas:

  • Expression resolution: 

    org.forgerock.openig.el
    org.forgerock.openig.resolver

  • Session management with JwtSession: 

    org.forgerock.openig.jwt

  • OAuth 2.0 and OpenID Connect and token resolution and validation: 

    org.forgerock.openig.filter.oauth2

  • Interaction with AM policies, SSO, CDSSO, and user profiles: 

    org.forgerock.openig.openam
    org.forgerock.openig.tools

  • SAML support: 

    org.forgerock.openig.handler.saml

  • UMA support: 

    org.forgerock.openig.uma

  • Web socket tunnelling: 

    org.forgerock.openig.websocket

  • Secret resolution: 

    org.forgerock.secrets.propertyresolver
    org.forgerock.secrets.jwkset
    org.forgerock.secrets.keystore
    org.forgerock.secrets.oauth2
    org.forgerock.openig.secrets.Base64EncodedSecretStore

  • AllowOnlyFilter, where filter_name refers to the top-level name of the "AllowOnlyFilter". 

    org.forgerock.openig.filter.allow.AllowOnlyFilter.filter_name
Read a different version of :