The following article will give you a technical guide on how to increase logging levels for dependencies related to the Shibboleth Identity Provider. 


All Identity provider dependencies must be installed and in some kind of functioning state. This is important in identifying the issue itself as if the particular dependency you are altering the logging level is not starting or functioning there will not be any logging information whatsoever.


If you are having any issues with the functioning of your IdP, the first indication of any present or intermittent issues should be available by increasing the verbosity of the logging and then inspecting the various log files for any inconsistencies.

Apache Logs:

  • Log levels that Apache recognises, from most important to least:
    emerg: Emergency situations where the system is in an unusable state.
  • alert: Severe situation where action is needed promptly.
  • crit: Important problems that need to be addressed.
  • error: An Error has occurred. Something was unsuccessful.
  • warn: Something out of the ordinary happened, but not a cause for concern.
  • notice: Something normal, but worth noting has happened.
  • info: An informational message that might be nice to know.
  • debug: Debugging information that can be useful to pinpoint where a problem is occurring.
  • trace[1-8]: Tracing information of various levels of verbosity that produces a large amount of information.

When you specify a log level, you are not choosing to log the messages labeled in that category, you are choosing the least important level that you wish to log.

This means that any levels above the selected level are also logged. For example, if you choose the "warn" log level, messages tagged with warn, error, crit, alert, and emerg will all be logged.

To change the level of logging, simply edit the below file with the desire level of logging that you prefer.

sudo nano /etc/apache2/apache2.conf
. . .
LogLevel warn
. . .
Restart Apache and all changes should be updated.

tail -100f /var/log/apache2/access.log

IDP Logs

Logging Levels

The logback system defines 5 logging levels (TRACE, DEBUG, INFO, WARN, ERROR). As you progress from the highest level (ERROR) to the lowest level (TRACE) the amount of information logged increases (dramatically so on the DEBUG and TRACE levels). Each level also logs all messages of the levels above it. For example, INFO also logs WARN and ERROR messages.

Increase the verbosity of logging for your IdP, edit the file $SHIB_HOME/conf/logback.xml


At the very top of the file, change the lines as follows, so that the logging level is set to DEBUG, which is the most verbose logging level.

<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="edu.internet2.middleware.shibboleth" level="DEBUG"/>

<!-- Logs OpenSAML, but not IdP, messages -->
<logger name="org.opensaml" level="DEBUG"/>
<!-- Logs LDAP related messages -->
<logger name="edu.vt.middleware.ldap" level="DEBUG"/>


Then simply watch the log file and restart your IdP server.

tail -100f $SHIB_HOME/logs/idp-process.log 

Jetty Logs

To change the level of logging within Jetty simple edit the following files within the Jetty Configuration and restart the Jetty Service.

Changing log level in etc/jetty.xml
<Call class="org.eclipse.jetty.util.log.Log" name="getRootLogger">
  <Call name="setDebugEnabled">
    <Arg type="boolean">true</Arg>
Using etc/jetty-logging.xml
You can use etc/jetty-logging.xml to take all System.out and System.err output (from any source) and route it to a rolling log file. To do so, include etc/jetty-logging.xml on Jetty startup.

java -jar start.jar etc/jetty-logging.xml


This will generate a lot of logs, so you will probably want to grep for particular strings, but the cause of the problem you are seeing will very likely be logged somewhere in this file.

 Don't forget to decrease the verbosity of logging back to it's original state once you've finished debugging the problem, otherwise you run the risk of using up all the space on your log partition.