Piyush,
The AZN_CREDS_GROUP attribute is a multi-valued attribute and unfortunately the '%C' logging directive will only include the first attribute value.
The only way which I can think to overcome this issue is to create a Lua transformation rule which adds a new attribute to the credential during authentication which is a concatenation of the groups contained within AZN_CREDS_GROUP. This new attribute can then be used in the logging directive. The Lua transformation rule should be simple to write (see:
https://www.ibm.com/docs/en/sva/11.0.1?topic=scenarios-adding-attributes-credential).
I hope that this helps.
Scott Exton
IBM Verify platform architect
IBM Master Inventor
1 Corporate Court, Bundall, QLD 4217.
E-mail: scotte@au1.ibm.com
Original Message:
Sent: 11/17/2025 1:33:00 PM
From: Piyush Agrawal
Subject: RE: Log Latency : Webseal request-log-format
Hello @Scott,
Referring to the old thread here,
I want to log users' groups in the request logs using:
However, in the session, the user has many groups, but the log line only shows one group.
Do you know of any workaround or remedy to log all groups instead of just one?
------------------------------
Piyush Agrawal
https://www.linkedin.com/in/piyush-norway/
Gjensidige Norway
------------------------------
Original Message:
Sent: Tue May 14, 2024 06:12 PM
From: Scott Exton
Subject: Log Latency : Webseal request-log-format
I believe that you have two options here:
- You can add the '%F' and '%J' format specifiers to the request log. The '%F' specifier will show you how long it took WebSEAL to process the request, from the time that it received the request until it sends the response back to the client. The '%J' specifier will show you how long the junction processing took, from the time that the request was sent to the junctioned server until the response was received. If you subtract the '%J' value from the '%F' value you will find out how much time the request spent within the WebSEAL server.
- If this is not a permanent change and you just want to debug where time is being spent you can use WebSEAL statistics. See the documentation for further information: https://www.ibm.com/docs/en/sva/10.0.7?topic=auditing-working-local-statistics. You also have the option of sending statistical information to a remote statsd server: https://www.ibm.com/docs/en/sva/10.0.7?topic=monitoring-sending-statistics-statsd.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 5/14/2024 5:32:00 AM
From: Piyush Agrawal
Subject: Log Latency : Webseal request-log-format
Dear IBM Community,
We are currently experiencing some network performance issues. Specifically, we want to ascertain whether the delays are occurring within WebSEAL itself or in the network communication between WebSEAL and our backend junction server.
To achieve this, we require detailed logging information that accurately captures the time taken by the backend junction server to process each request.
Based on https://www.ibm.com/docs/en/sva/10.0.6?topic=stanza-request-log-format Here are the specific log parameters we have used so far:
- latency: "%J"
- end_to_end_latency: "%F"
We are seeking guidance on the optimal log format and any additional parameters that could help us isolate and measure the backend processing time accurately.
Questions:
- Are there any additional or alternative log parameters that can give us more precise insights into the backend junction server processing times?
- How can we configure our logs to distinguish between the time spent within WebSEAL and the time spent in network transit to the backend junction server?
Thank you for your support and expertise.
------------------------------
Piyush Agrawal
https://www.linkedin.com/in/piyush-norway/
Gjensidige Norway
------------------------------