Keyfactor Universal Orchestrator
The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. provides extensive logging for visibility and troubleshooting. For more information about troubleshooting, see Troubleshooting.
By default, the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. generates logs at the INFO logging level and stores logs for two days before deleting them. If you wish to change these defaults, follow the directions below for your installation type.
Understanding Log Files
Log files by default are generated using the following layout:
-
Timestamp: The date and time the log was generated, in
Example: -
Correlation ID: A randomly generated GUID that identifies all log messages from a single request. It typically appears immediately after the timestamp.
Example:The correlation ID appears at all logging levels.
-
Audit History ID: The audit history ID for the job, which correlates to the AuditId in the orchestrator job status record.
Example: 590300 -
Logger Name: The fully qualified class or namespace where the log message originated. Useful for filtering or tracing specific components.
Example: -
Log Level: Indicates the severity of the message—ranging from Trace and Debug (low-level detail) to Info, Warn, Error, and Fatal (critical failures).
-
Message: The main content of the log entry. This may include descriptive text, data values, or stack traces in the case of errors.
Example: The 'Keyfactor.Extensions.Orchestrator.RemoteFile.Inventory' job with Id '725b42f2-f4b5-46cd-959c-ccd7dd15b2f9' finished successfully under session '054b2df7-64f9-4b78-8ecb-d63839bb254f'Note: At Trace level, a message appears indicating that the orchestrator ID has been added to the request headers for delivery to the orchestrator API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command.. For example:
Adding the orchestrator id, 'ae32ef01-cdcd-43f9-b507-852a83316da3', to the request headers for session, '054b2df7-64f9-4b78-8ecb-d63839bb254f'This ID can then be found in messages in the Orchestrator API log.
The above references as found in a full log entry would look like:
Modify Logging Configuration
Windows Installations
- On the Windows server where you wish to adjust logging, open a text editor (e.g., Notepad) using the “Run as administrator” option.
-
In the text editor, browse to open the Nlog.config file for the Universal Orchestrator. The file is located in the configuration directory within the install directory, which is the following directory by default:
C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration -
Your Nlog.config file may have a slightly different layout than shown here, but it will contain the five fields highlighted in Figure 520: Universal Orchestrator on Windows NLog.config File. The fields you may wish to edit are:
-
variable name="logDirectory" value="logs/"
The path to the log file location.
Important: If you choose to change the path for storage of the log files, you will need to create the new directory (e.g., D:\KeyfactorLogs) and grant the Universal Orchestrator service account under which the Keyfactor Orchestrator Service is running full control permissions on this directory. -
fileName="${logDirectory}/Log.txt"
-
archiveFileName="${logDirectory}/Log_Archive_{#}.txt"
The path and file name of previous days' orchestrator log files, referencing the logDirectory variable. The orchestrator rotates log files daily and names the previous files using this naming convention.
-
maxArchiveFiles="2"
The number of archive files to retain before deletion.
-
name="*" minlevel="Info" writeTo="logfile"
The level of log detail that should be generated and output to the log file. The default INFO level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to DEBUG or TRACE. Available log levels (in order of increasing verbosity) are:
-
OFF—No logging
-
FATAL—Log severe errors that cause early termination
-
ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination
-
WARN—Log errors and use of deprecated APIs, poor use of APIs, “almost” errors, and other runtime situations that are undesirable or unexpected but not necessarily “wrong”
-
INFO—Log all of the above plus runtime events (startup/shutdown)
-
DEBUG—Log all of the above plus detailed information on the flow through the system
-
TRACE—Maximum log information—this option can generate VERY large log files
-
The path and file name of the active orchestrator log file, referencing the logDirectory variable.
-
Linux Installations
- On the orchestrator machine where you wish to adjust logging, open a command shell and change to the directory in which the orchestrator is installed. By default this is /opt/keyfactor/orchestrator.
- In the command shell in the directory in which the orchestrator is installed, change to the configuration directory.
-
Using a text editor, open the nlog.config file in the configuration directory. Your nlog.config file may have a slightly different layout than shown here, but it will contain the five fields highlighted in the below figure. The fields you may wish to edit are:
-
variable name="logDirectory" value="logs/"
The path to the log file location.
Important: If you choose to change the path for storage of the log files, you will need to create the new directory (e.g., /opt/kyflogs) and grant the Universal Orchestrator service account under which the keyfactororchestrator-default service is running full control permissions on this directory. -
fileName="${logDirectory}/Log.txt"
-
archiveFileName="${logDirectory}/Log_Archive_{#}.txt"
The path and file name of previous days' orchestrator log files, referencing the logDirectory variable. The orchestrator rotates log files daily and names the previous files using this naming convention.
-
maxArchiveFiles="2"
The number of archive files to retain before deletion.
-
name="*" minlevel="Info" writeTo="logfile"
The level of log detail that should be generated and output to the log file. The default INFO level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to DEBUG or TRACE. Available log levels (in order of increasing verbosity) are:
-
OFF—No logging
-
FATAL—Log severe errors that cause early termination
-
ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination
-
WARN—Log errors and use of deprecated APIs, poor use of APIs, “almost” errors, and other runtime situations that are undesirable or unexpected but not necessarily “wrong”
-
INFO—Log all of the above plus runtime events (startup/shutdown)
-
DEBUG—Log all of the above plus detailed information on the flow through the system
-
TRACE—Maximum log information—this option can generate VERY large log files
-
The path and file name of the active orchestrator log file, referencing the logDirectory variable.
-
Figure 521: Universal Orchestrator on Linux NLog.config File
Was this page helpful? Provide Feedback