Query Logs

URL:: https://<root>/logs/query
Methods:: GET
Required Capability:: Access allowed with any authorized privilege
Version Introduced:: 10.3.1

Description

The query operation allows you to aggregate, filter, and page through logs written by ArcGIS Enterprise portal. Logs can be queried according to log levels and start and end times, and further filtered by the log code, users associated with the event being logged, the log's source, and by request ID (introduced at ArcGIS Enterprise 11.3).

Queryable log information

Log level

Each logged event has a specific level associated with them. The table below outlines the log level types:

Level	Details
`SEVERE`	Serious problems that require immediate attention. This level only includes severe messages.
`WARNING`	Moderate problems that require attention. This level also includes severe messages.
`Info`	Common administrative messages of the portal, including messages about organization settings being updated. This level also includes severe and warning messages.
`Fine`	Common messages from use of the portal, like names of operations and requests received. This level includes severe, warning, and info messages.
`Verbose`	Messages providing more detail about how the portal fulfills operations and requests. This level includes severe, warning, info, and fine messages.
`Debug`	Highly verbose messages designed for developers and support technicians who want to obtain a better understanding of the portal's state when troubleshooting. Don't use this level in a production environment; it may cause a decrease in performance. If you're not troubleshooting an issue, use the Warning level instead.
`Off`	Logging is turned off. Events are not logged with the portal.

Time

Each logged event records the time the event occurred. Events are organized chronologically, with the most recent event displayed first. Logs can be filtered for a specific time frame by specifying the start and end time for the query. The start time will be the most recent time and the end time will be the earliest time.

Log codes

Each logged event has a code associated with it. The codes are organized into several categories with specific ranges and content. You can specify a specific code or code range to display when querying the logs.

Category	Range	Message Content
`Publishing`	200000–201999	Publishing and deleting hosted services.
`Content management`	202000–203999	Adding, removing, updating, and moving items. Changing item ownership. Sharing items with everyone, the organization, and groups.
`Security`	204000–205999	Built-in or organization-specific user log in. Portal token generation and configuration. Disabling and enabling account sign up. Disabling and enabling the ArcGIS Portal Directory. Importing or exporting a security certificate. Creating, deleting, and disabling users. Changing user role privileges. Creating and deleting custom roles. Disabling and enabling HTTPS and anonymous access. Updating the identity store.
`Organization management`	206000–207999	Customizing the organization home page. Configuration of the gallery, basemaps, display units, utility services, and federated servers. Creating and deleting groups. Adding users to a group and removing users from a group. Invite users to a group or accepting an invitation to a group. Configuration of ArcGIS Pro licenses. ArcGIS Web Adaptor configuration. Modifying the location of the portal content directory. Configuring forward and reverse proxy servers. Exceeding the number of named users authorized for the portal. Editing log setting and deleting logs.
`Installation and upgrade`	208000–209999	Installing and upgrading the software, creating the portal website, and authorizing the software.
`Search index`	210000–211999	Generating the portal's item search index.
`General`	212000–219999	Restarting the portal. Configuring a highly available portal. Other general messages generated through regular use of the portal.

Source component

The source of the logged events are generated from the sharing, administrative, and portal components of the software. Events related to publishing and users are categorized under Sharing. Events related to security and indexing are categorized under Portal Admin. Events related to installing the software are categorized under Portal.

Request IDs

Introduced at 11.3, logs for requests made through the Portal Admin API have a request ID associated with them that can be used to further filter logs. The request ID can be gathered and used during queries in the following way:

Make an initial query request for the Enterprise portal logs to find a log associated with the request. Its recommended that the source is set as PORTAL ADMIN to limit log results to those that would return a request ID. Logs can be further filtered by specifying a time range the request occured within, specifying a log code range, or providing the username of the member who is associated with the request.
Once you've found a log entry for the request, copy the request ID.
Return to the query operation and perform a new request, this time including the request ID as part of the query. You can make queries to different log levels to identify any logs of that type that are associated with the request ID.

Request parameters

Parameter	Details
`level` (Required)	Returns only records with a log level at or more severe than the level specified. The default is `WARNING`. Values: `OFF` \| `SEVERE` \| `WARNING` \| `INFO` \| `FINE` \| `VERBOSE` \| `DEBUG`
`startTime` (Optional)	The most recent time to query. If, after running a request, the `hasMore` response property is `true`, you can retrieve additional log records by running a new request that uses the value you had for the `endTime` parameter in the first request as the value for the `startTime` parameter for the new request. Time can be specified as a portal timestamp (format in `yyyy-mm-ddThh:mm:ss`) or in Unix format. The default is the current date. If the `startTime` parameter is specified, but `endTime` is not, all of the oldest logs are returned up to the start time. Examples Use dark colors for code blocksCopy `1 2 3 4 5 //Timestamp { "startTime": "2015-05-01T13:15:00", ... } //Unix { "startTime": 1430504100, ... }`
`endTime` (Optional)	The oldest time to include in the result set. You can use this to limit the query to the last number of minutes, hours, days, months, and years as needed. Time can be specified as a portal timestamp (format in `yyyy-mm-ddThh:mm:ss`) or in Unix format. The default is the beginning of all logging. If the `endTime` parameter is specified, but `startTime` is not, all of the most recent logs will be returned up to the end time. Examples Use dark colors for code blocksCopy `1 2 3 4 5 //Timestamp { "endTime": "2015-05-01T13:00:00", ... } //Unix { "endTime": "1430503200, ... }`
`filterType`	The filter type. The only accepted value is `json`.
`filter` (Optional)	Filters Enterprise portal logs by a set of filter definitions: `codes`: A comma-separated list of log codes. This list can include specific log code values, a log code range, or a combination of specific log codes and log code ranges. Specyfing a value for the codes filter definition will only return logs that are a match with a specific log code or are within the log code range. `users`: A comma-separated list of organization member usernames. `requestIds`: Introduced at 11.3. An ID associated with a request made using the Portal Admin API. Only logs with a source of `PORTAL ADMIN` will return a request ID. `source`: The source component of the logged event. Accepted values are `*` (meaning all source components are included in the query), `SHARING`, `PORTAL ADMIN`, and `PORTAL`. Tip If any definition is omitted, the query operation will return all logs for that definition area (i.e. all log codes are returned, logs for all organization members are returned, etc.) as long as those logs fall within any other sepcified query parameters. Example Use dark colors for code blocksCopy `1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 //Filtering using log codes, username, and source component filter={ "codes": [ 204000–205999, 212015, 219114 ], "users": [ "admin", "jcho" ], "requestIds": [], "source": ["PORTAL ADMIN"] } //Filtering using request ID filter={ "codes": [], "users": [], "requestIds": ["311bbe1c-a8bc-4cd9-9f73-1b9a12cbf178"], "source": [] }`
`pageSize` (Optional)	The maximum number of log records to be returned by this query. The default is 1000. Example Use dark colors for code blocksCopy `1 pageSize=1000`
`federatedServers` (Required)	Introduced at ArcGIS Enterprise 11.4. Specifies whether logs from federated servers should be included in the query. To include logs from every federated server, set the value for `federatedServers` to `all`. To include logs from a specific federated server, set the value as the server's URL. To exclude federated server logs from the query, leave the value for `federatedServers` empty. Use dark colors for code blocksCopy `1 2 3 4 5 //Include logs from all federated servers federatedServers=all //Include logs from a specific federated server federatedServers=https://machine.domain.com/arcgis`
`f`	The response format. The default is `html`. Values: `html` \| `json` \| `xml` \| `pjson`

Example usage

The following is a sample GET request for the query operation:

Use dark colors for code blocksCopy
https://machine.domain.com/webadaptor/portaladmin/logs/query?level=SEVERE&startTime=1569263675708&endTime=1569212579554&filterType=json&filter={"codes":["201999"],"users":["user1"],"requestIds":[],"source":["Sharing"]}&pageSize=1000&federatedServers=all&f=json

JSON Response example

Use dark colors for code blocksCopy
{
  "hasMore": false,
  "startTime": 1569263675708,
  "endTime": 1569212579554,
  "logMessages": [
    {
      "type": "SEVERE",
      "message": " Failed to delete folder 'user1/testFolder' (id:a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7).  Some items in the folder cannot be deleted.",
      "time": 1569263675708,
      "source": "Sharing",
      "machine": "MACHINE.DOMAIN.COM",
      "user": "user1",
      "code": 219999,
      "elapsed": "",
      "process": "13944",
      "thread": "1",
      "methodName": "",
      "requestID": ""
    },
    {
      "type": "SEVERE",
      "message": " Failed to delete item 'https://machine.domain.com/webadaptor/rest/services/Hosted/testItem/FeatureServer' (id:edf7f18f65604380bb045da9cbe18833) in folder 'user1/testFolder' (id:a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7). Unable to delete item: https://machine.domain.com/webadaptor/rest/services/Hosted/testItem/FeatureServer",
      "time": 1569263645008,
      "source": "Sharing",
      "machine": "MACHINE.DOMAIN.COM",
      "user": "user1",
      "code": 219999,
      "elapsed": "",
      "process": "13944",
      "thread": "1",
      "methodName": "",
      "requestID": ""
    },
    {
      "type": "SEVERE",
      "message": " Failed to delete item 'https://machine.domain.com/webadaptor/rest/services/Hosted/testItem2/FeatureServer' (id:edf7f18f65604380bb045da9cbe18833). Error while deleteing 'edf7f18f65604380bb045da9cbe18833' {\"success\":false,\"error\":{\"message\":\"Delete Service failed for url 'https://machine.domain.com/webadaptor/rest/services/Hosted/testItem2/FeatureServer (Delete service error: \\nException: Read timed out)'\"}}",
      "time": 1569263645008,
      "source": "Sharing",
      "machine": "MACHINE.DOMAIN.COM",
      "user": "user1",
      "code": 219999,
      "elapsed": "",
      "process": "13944",
      "thread": "1",
      "methodName": "",
      "requestID": ""
    }
  ]
}