Configure audit and monitor log files
This topic describes how to configure the location and behavior of the log files.
By default, the Credential Provider displays a generic message when a warning or error occurs. Full details of the issue are available in the APPConsole.log file, which is restricted.
To enable verbose error logs, you can update the VerboseError parameter, although this is not recommended. For more information, see Configure debug levels.
Log file location
The following parameter in the basic configuration file specifies the location of the Credential Provider log files:
| LogsFolder | The full pathname of the folder where the Credential Provider stores the local logs file. |
Configure debug levels
The following parameters in the main configuration file specify the level of debugging in the log files:
| Parameter | Description |
|---|---|
| AppProviderDebugLevels |
Sets the debug level of the Credential Provider. You can set several values, separated by commas. 0 - No messages are written to the trace log (default). 1 - Credential Provider errors are written to the trace log . 2 - Credential Provider trace messages are written to the trace log . 3 - Credential Provider CASOS errors are written to the trace log. 4 - Credential Provider CASOS activities and trace messages are written to the trace log. 5 - Credential Provider background refresh trace messages are written to the trace log. |
| ProtocolDebugLevels |
Sets the debug level of the protocol layer. You can set several values, separated by commas. 0 - No messages are written to the trace log (default). 1 - Protocol errors are written to the trace log. 2 - Protocol trace messages are written to the trace log. |
| CacheDebugLevels |
Sets the debug level of the Credential Provider cache. You can set several values, separated by commas. 0 - No messages are written to the trace log (default). 1 - Cache errors are written to the trace log. 2 - Cache trace messages are written to the trace log. |
| AuthenticationLogs |
Whether or not the log provides indications for two authentications. For more information, see Security best practices. Yes - Log provides indications about two authentications (default). No - Log does not provide indications about two authentications. |
| VerboseError |
Whether or not error details are provided in the Windows Event Viewer or syslog. Yes - Logs and responses include error details. No - Logs and responses are replaced with a generic message. Detailed logs and responses appear only in APPConsole.log (default). |
Archive logs in the Vault
The following parameters in the main configuration file specify when the log file is archived on the local machine:
| LogRetentionOnSizeMB |
The size (in MB) of the log files when they are moved to a subfolder of the Log folder. New log files are started automatically. The default value is 25 MB.
|
| LogRetentionOnTimeIntervalMinutes |
The number of minutes after which the log files are moved to a subfolder of the Logs folder. New log files are started automatically.
|
Delete old logs
The following parameters in the main configuration file specify when old log files are deleted:
| OldLogsRetention |
The number of days that trace and console log files are saved, after which they are deleted. By default, log files are saved for 30 days. The Credential Provider automatically searches every hour for log files to delete; this cannot be configured. To prevent old log files from being deleted, specify 0 (zero). |
| OldAuditLogsRetention |
The number of days that audit log files stored in the ‘Old’ subfolder of the Logs folder are saved, after which they are deleted. By default, old audit log files are saved for 90 days. The Credential Provider automatically searches for log files to delete every hour; this cannot be configured. To prevent old log files from being deleted, specify 0 (zero). |
