Enabling security Debug/Trace logging in JBoss EAP 6, 7 and 8

Solution Verified - Updated 9 Apr 2025

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6
- 7
- 8
Legacy Security or Elytron
Any built in authentication mechanism such as LDAP, SASL, Password files, Database, etc.

Issue

What log levels do I enable for security?
How do I enable / turn on all security logging
How to enable security logging for domain and host controllers
Debug authentication / authorization

Resolution

The following packages are related in JBoss EAP security subsystem and will log security entries when levels are set to TRACE or ALL:

org.jboss.security
org.jboss.as.security
org.keycloak
org.picketbox (JBoss EAP 6 / 7 Legacy security)
org.jboss.as.domain.management.security (Management layer security)
org.wildfly.security
org.wildfly.elytron (JBoss EAP 7.1 or later `Elytron` security)
org.jboss.remoting (Some SASL logging)
org.jboss.sasl

See Change logging levels using the CLI command in JBoss EAP 6 / 7 and 8 for the CLI commands to enable this in various modes.

CLI commands for use in standalone mode:

/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.keycloak:add(level=TRACE)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.sasl:add(level=ALL)

In Domain Mode

To log security for server applications, prefix each of the lines within the standalone script with /profile={name}/ where {name} is the name of the profile in domain.xml. The logging will appear in domain/servers/{server-name}/log/server.log;

To log security between the domain controller and slave host controllers, the logging is configured Log4j-style in domain/configuration/logging.properties and the logging will appear on each server in domain/log/host-controller.log. The domain controller uses the same file. The above levels will look like:

handler.BOOT_FILE.level=TRACE
...
loggers=org.wildfly.security, org.wildfly.elytron, org.jboss.security, org.jboss.as.security, org.picketbox, org.jboss.as.domain.management.security

logger.org.wildfly.security.level=TRACE
logger.org.wildfly.elytron.level=TRACE
logger.org.jboss.security.level=TRACE
logger.org.jboss.as.security.level=TRACE
logger.org.keycloak.level=TRACE
logger.org.picketbox.level=TRACE
logger.org.jboss.as.domain.management.security.level=TRACE
logger.org.jboss.remoting.level=TRACE
logger.org.jboss.sasl.level=TRACE

Note: The wildfly levels don't do anything in JBoss EAP 6.

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.