Configure Logging for the Universal Orchestrator

Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. provides extensive logging for visibility and troubleshooting. For more information about troubleshooting, see Troubleshooting.

By default, the Keyfactor Universal OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. generates logs at the INFO logging level and stores logs for two days before deleting them. If you wish to change these defaults, follow the directions below for your installation type.

Logging the Orchestrator ID

The Keyfactor Universal Orchestrator will include the unique ID as part of the APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. request for any Agents or Orchestrators API endpoints.

"AgentId": "3f09be9a-625d-4c67-9bc7-75a87339dd63

When the Nlog level is configured for TRACE, a message will be logged in the Orchestrators log (by default at C:\Program Files\Keyfactor\Keyfactor Orchestrator\logs) that the orchestrator ID was added to the API request. The orchestrator ID will be stored in the orchestratorId configuration field in the orchestrator's appsettings.json configuration file after the initial API request (by default at C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration).

The \WebAgentServices\Configuration\NLog_Orchestrators.config log file will display the correlation token ID regardless of the LogLevel configured. The orchestrator ID will display next to the correlation token in the orchestrators log messages (by default at C:\Program Files\Keyfactor\Keyfactor Orchestrator\logs) after an initial API call.

Modify Logging Configuration
  1. On the Windows server where you wish to adjust logging, open a text editor (e.g. Notepad) using the “Run as administrator” option.

  2. In the text editor, browse to open the Nlog.config file for the Universal Orchestrator. The file is located in the configuration directory within the install directory, which is the following directory by default:

    C:\Program Files\Keyfactor\Keyfactor Orchestrator\configuration

  3. Your Nlog.config file may have a slightly different layout than shown here, but it will contain the five fields highlighted in Figure 612: Universal Orchestrator on Windows NLog.config File. The fields you may wish to edit are:

    • variable name="logDirectory" value="logs/"

      The path to the log file location.

      Important:  If you choose to change the path for storage of the log files, you will need to create the new directory (e.g. D:\KeyfactorLogs) and grant the Universal Orchestrator service account under which the Keyfactor Orchestrator Service is running full control permissions on this directory.
    • fileName="${logDirectory}/Log.txt"

      • The path and file name of the active orchestrator log file, referencing the logDirectory variable.

    • archiveFileName="${logDirectory}/Log_Archive_{#}.txt"

      The path and file name of previous days' orchestrator log files, referencing the logDirectory variable. The orchestrator rotates log files daily and names the previous files using this naming convention.

    • maxArchiveFiles="2"

      The number of archive files to retain before deletion.

    • name="*" minlevel="Info" writeTo="logfile"

      The level of log detail that should be generated and output to the log file. The default INFO level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to DEBUG or TRACE. Available log levels (in order of increasing verbosity) are:

      • OFF—No logging

      • FATAL—Log severe errors that cause early termination

      • ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

      • WARN—Log errors and use of deprecated APIs, poor use of APIs, “almost” errors, and other runtime situations that are undesirable or unexpected but not necessarily “wrong”

      • INFO—Log all of the above plus runtime events (startup/shutdown)

      • DEBUG—Log all of the above plus detailed information on the flow through the system

      • TRACE—Maximum log information—this option can generate VERY large log files

Figure 612: Universal Orchestrator on Windows NLog.config File

  1. On the orchestrator machine where you wish to adjust logging, open a command shell and change to the directory in which the orchestrator is installed. By default this is /opt/keyfactor/orchestrator.
  2. In the command shell in the directory in which the orchestrator is installed, change to the configuration directory.

  3. Using a text editor, open the nlog.config file in the configuration directory. Your nlog.config file may have a slightly different layout than shown here, but it will contain the five fields highlighted in the below figure. The fields you may wish to edit are:

    • variable name="logDirectory" value="logs/"

      The path to the log file location.

      Important:  If you choose to change the path for storage of the log files, you will need to create the new directory (e.g. /opt/kyflogs) and grant the Universal Orchestrator service account under which the keyfactororchestrator-default service is running full control permissions on this directory.
    • fileName="${logDirectory}/Log.txt"

      • The path and file name of the active orchestrator log file, referencing the logDirectory variable.

    • archiveFileName="${logDirectory}/Log_Archive_{#}.txt"

      The path and file name of previous days' orchestrator log files, referencing the logDirectory variable. The orchestrator rotates log files daily and names the previous files using this naming convention.

    • maxArchiveFiles="2"

      The number of archive files to retain before deletion.

    • name="*" minlevel="Info" writeTo="logfile"

      The level of log detail that should be generated and output to the log file. The default INFO level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to DEBUG or TRACE. Available log levels (in order of increasing verbosity) are:

      • OFF—No logging

      • FATAL—Log severe errors that cause early termination

      • ERROR—Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

      • WARN—Log errors and use of deprecated APIs, poor use of APIs, “almost” errors, and other runtime situations that are undesirable or unexpected but not necessarily “wrong”

      • INFO—Log all of the above plus runtime events (startup/shutdown)

      • DEBUG—Log all of the above plus detailed information on the flow through the system

      • TRACE—Maximum log information—this option can generate VERY large log files

Figure 613: Universal Orchestrator on Linux NLog.config File