Logging and Troubleshooting
In HelloID, logging plays an important role. Using the Identity and Access Management (IAM) solution, you automate account provisioning and entitlement assignment. The processes occur primarily in the background, which can be both a benefit and a challenge. You want to prevent any errors from going unnoticed and always be able to determine why a specific action was performed. HelloID logging provides this insight and enables troubleshooting of any issues. In this blog, you will learn more about logging in HelloID, the distinction between functional and technical logging, and how to use log files for troubleshooting.
Why is Logging Important?
With HelloID, you automate IAM within your organization to a significant degree. HelloID acts as an intermediary between your source system, such as an HR system, and target systems such as Active Directory (AD), Azure AD, or Google Workspace. The IAM solution can provision accounts and entitlements to target systems and can also write data back to your HR system.
Since HelloID automates this process to a large extent, the solution performs many actions that are not immediately visible. Reports and logging give you a look under the hood and allow you to closely monitor the operation of HelloID and any agents the IAM solution uses. All actions are recorded, so you can always determine what HelloID did, why an action was performed, when it occurred, and whether it was successful.
What is Functional Logging?
When discussing logging, it is important to distinguish between functional and technical logging. Functional logging gives you insight into when a user was granted which entitlements and through which role. Why was this role applied to this specific user?
This information is highly relevant for audits. Functional logging allows you to demonstrate that entitlements were granted only to the right people and, for example, that you revoked access for someone who is leaving promptly. Consider also the transition of an employee to a new role, which can trigger multiple actions. Think of granting new entitlements and revoking old entitlements. Thanks to functional logging, you can peel back this process from A to Z like an onion.
Functional logging also helps answer employees' questions. A colleague may expect certain entitlements as part of a new role, only to find that this is not the case. Functional logging shows in detail why this is the case and which steps in the provisioning process were executed.
What is Technical Logging?
Technical logging provides insight into the processes that take place behind the scenes. If something goes wrong, the cause can be a technical issue. With technical logging, you can determine in detail what goes wrong, why it happens, and how to resolve it.
Technical logging can also help answer functional questions. If functional logging shows that an employee did not receive certain entitlements when they should have, you can find the exact cause in the technical logs. Examples include an outage at an external partner you use, an unstable internet connection, or connector issues that prevented HelloID from retrieving or writing the required information.
Stateful
It is also important to note that HelloID is stateful. In practice, this means the IAM solution maintains its own bookkeeping, remembers what it executed earlier, and whether those processes succeeded or failed. This allows the logging to be linked to the actions performed, providing significant insight. If, for example, a process scheduled for July 1 failed and was finally executed on October 1, you can trace these executions in the logs and see the underlying issue.
This is crucial for auditing. With HelloID logging, you can show the complete chain of processing related to, for example, the transition of a specific employee, from the initial change in the HR system to the entitlements granted for the new role. You can also demonstrate how you handled unexpected issues. The process is transparent from A to Z.
Where Can You Find the Logging?
HelloID logging is relatively easy to access. You can view the functional logging through the HelloID provisioning dashboard. Our functional logging is designed so that you can find all the information you need there. As a rule, you do not need to consult the technical logging. If the information from the functional logging does not go far enough and you want to look under the hood, you can do so through the technical logs related to the HelloID Agents.
The way HelloID handles technical logging varies by agent. Do you use a cloud-to-cloud implementation? The HelloID Cloud Agent executes the HelloID processes. As a customer, you have little to no maintenance to perform here. Tools4ever monitors the HelloID Cloud Agent for you. If errors happen, Tools4ever takes action without any effort on your part.
If you use a local agent, you, as the customer, have direct access to these log files. In that case, the log files are located on the system where the HelloID agent is installed. This is a Windows server running in your own IT environment. The files are stored in the ProgramData folder, where you will find a Tools4ever subfolder. This folder contains additional folders with log files for the agents for provisioning, directory, and service automation. The logging is stored in a .txt file that you can open with any text editor.
All actions that the agent performs are recorded in the log file with a timestamp accurate to one hundredth of a second. You can see exactly which actions HelloID executed when and in what order. For example, if you perform on-premises Active Directory (AD) tasks through the Provisioning Agent, you will find these tasks in the logs related to the Provisioning Agent as well.
Monitoring Log Files
The logs give you a detailed view of what happens under the hood of HelloID. This provides important benefits. By actively monitoring the logs, you can detect potential issues early, before users encounter problems. With this information, you can take proactive action if something goes wrong.
Log files also help verify changes you make in HelloID. Although you can validate every change in advance by using a dry run, among other methods, it is also useful to verify after go-live that everything functions as expected. Log files make this possible. We therefore recommend that you monitor the logs closely during changes, rather than consulting them only when issues arise.
Note: log files are only accessible if you, as the customer, manage the infrastructure yourself. If you outsource this to Tools4ever, we manage the logging, and you do not need to look after it.
Troubleshooting
You may encounter error messages in the logs. Our documentation provides an overview of common error messages in log files. The way you resolve issues varies and depends on the nature of the problem you identify. The documentation also provides guidance for resolving these errors.
Error messages vary by agent, source or target system, and task performed. An overview of the most common error messages is available on the forum. Note: this overview is only an example.
Notifications
In some cases, a problem requires immediate attention from an administrator. For example, if issues can have a major impact on the operation of HelloID. Consider an agent being unavailable or unable to execute critical tasks. In this case, we are referring to an incident.
The HelloID administrator dashboard provides a clear overview of any incidents. You can see at a glance all issues that require your immediate attention. This allows you to address them quickly and effectively, thereby minimizing their impact.
You can also set up a notification for incidents, so HelloID informs you by email immediately when an incident occurs. You can find more information here.
Get Started
Would you like to get started with HelloID’s functional and technical logging? Watch this video as well, which covers troubleshooting the agents for provisioning, directory, and service automation. Do you have questions? Contact us; our experts are ready to support you.