Retrieve Okta Agent logs for the Active Directory (AD), LDAP, IWA, and RADIUS agents to troubleshoot connectivity, synchronization, and authentication issues. Locate the log files by navigating to the specific agent installation directories, and enable verbose logging for the AD Agent or debug logging for the LDAP Agent by modifying the respective configuration files.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• AD Agent
• LDAP Agent
• IWA Agent
• RADIUS Agent

How are Active Directory Agent logs retrieved and configured?

How to retrieve Active Directory Agent logs

Retrieve the Okta AD Agent logs by navigating to the installation directory and locating the continually updated log files.

1. On the system running the affected AD Agent, navigate to the logs directory in the AD Agent install directory. The default folder location is C:\Program Files (x86)\Okta\Okta AD Agent\logs.
2. Locate the most recent log file named Agent.log. Older log files include a number appended to the filename (for example, Agent-1.log), with each successive number representing an older log file.
3. Review the log files, which have a 5 megabyte (MB) size limit and are continually updated with new information. The files roll over when they reach the size limit.
4. Review the InstallUtil.log file for information related to both installations and updates.
5. Review the Service.log file for details on when the Okta AD Agent Windows service starts and stops.

How to enable verbose logging for the Active Directory Agent

Enable verbose logging for the Okta AD Agent by modifying the configuration file and restarting the service.

1. On the system running the affected AD Agent, navigate to the AD Agent install directory. The default folder location is C:\Program Files (x86)\Okta\Okta AD Agent.
2. Open the OktaAgentService.exe.config file with a text editor.
3. Change the value from:

   <add key="VerboseLogging" value="False" />

   to:

   <add key="VerboseLogging" value="True" />

4. Save the changes.
5. Restart the AD Agent service by navigating to Services, right-clicking Okta AD Agent, and selecting Restart.

NOTE: Okta strongly recommends disabling verbose logging after troubleshooting is complete, as the process quickly generates a significant number of log entries.

How are LDAP Agent logs retrieved and configured?

How to retrieve LDAP Agent logs

Retrieve the Okta LDAP Agent logs by navigating to the installation directory on either Windows or Linux systems and locating the continually updated log files.

1. On the system running the affected LDAP Agent, navigate to the logs directory in the LDAP Agent install directory. On Windows, locate this directory in C:\Program Files\Okta\Okta LDAP Agent\logs. On Linux, locate this directory in /opt/Okta/Okta LDAP Agent/logs.
2. Locate the most recent log file named Agent.log. Older log files include a number appended to the filename (for example, Agent-1.log), with each successive number representing an older log file.
3. Review the log files, which have a 20 MB size limit and continually update with new information. The files roll over when they reach the size limit.
4. Review the pid.info file to find the current process identifier (PID) for the Okta LDAP Agent.
5. Review the stdout.log file to find the current Agent service status information, such as the type of crypto suites found and the number of working connections.

How to enable debug logging for the LDAP Agent

Enable debug logging for the Okta LDAP Agent by modifying the logback configuration file and restarting the service.

1. On the system running the affected LDAP Agent, navigate to the LDAP Agent configuration directory. On Windows, locate this directory in C:\Program Files\Okta\Okta LDAP Agent\conf. On Linux, locate this directory in /opt/Okta/Okta LDAP Agent/conf.
2. Open the logback.xml file with a text editor.
3. Change the value from:

   <maxIndex>5</maxIndex>

   to:

   <maxIndex>20</maxIndex>

This value represents the maximum number of log files written. When using debug logging, increase this number to 20 to compensate for the additional logging.

4. Change the value from:

   <logger name="com.okta.ldap_agent" level="INFO">

   to:

   <logger name="com.okta.ldap_agent" level="DEBUG">

This value represents the type of logging performed by the LDAP Agent.

5. Save the modified file.
6. Restart the Okta LDAP Agent service.

How are IWA Agent logs retrieved?

Retrieve the logs generated by Microsoft Internet Information Services (IIS) for the Okta IWA Agent by navigating to the IIS log directory.

1. On the system running the affected IWA Agent, navigate to C:\inetpub\logs\LogFiles\W3SVC1\.
2. Locate the log files. IIS generates one file per day.

NOTE: These logs contain <DOMAIN\sAMAccountName>. Redact as necessary.

How are RADIUS Agent logs retrieved?

Retrieve the Okta RADIUS Agent logs by navigating to the installation directory and locating the troubleshooting file.

1. On the system running the affected RADIUS Agent, navigate to the logs directory in the RADIUS Agent install directory. The default folder location is C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs.
2. Locate the okta_radius file, which contains the troubleshooting information most likely to be required by Okta Support.

Related References

• How to Access Windows Okta Agent Installer Logs