Log Collection and Submission¶

Section: Operations | Article 42
Audience: System Administrators
Last Updated: 2026-04-07

Overview¶

RP-PAM writes structured logs in CLEF (Compact Log Event Format) JSON to help with diagnostics, auditing, and support. This article covers where logs are stored, how to read them, and how to collect them for support tickets.

Using the Web Portal¶

The RP-PAM web portal includes a built-in log viewer and download tool. Navigate to Logs in the sidebar (requires admin or security_admin role).

Log Viewer¶

The Log Viewer tab lets you search and filter log entries directly in the browser:

Type: Filter by log type (Application, Audit, Module, Errors)
Level: Filter by severity (Verbose, Debug, Information, Warning, Error, Fatal)
Date range: Select From and To dates
Search: Free-text search across all log fields
Click any log row to expand and see the full JSON entry with all fields.

Download Logs¶

The Download tab lets you download a ZIP archive of log files for a specified date range:

Select the log type (All, Application, Audit, Module, or Errors)
Choose the From and To dates
Click Download ZIP

The browser downloads a .zip file containing all matching log files. This is the recommended way to collect logs for support tickets — no terminal access needed.

Log Files¶

The Log Files tab shows all log files on the server with their names, sizes, and last modified dates.

Tip: For automated log collection in CI/CD or scripts, use the CLI methods described below.

Log Locations¶

Platform	Log Directory	Service Name
Windows	`C:\ProgramData\Ravenphyre\RP-PAM\Logs\`	`RpPam`
Linux	`/var/log/rppam/`	`rppam` (systemd unit)
Docker	Container stdout/stderr + `/var/log/rppam/` inside the container	`rppam` container

Log Files¶

File Pattern	Contents
`rppam-YYYYMMDD.log`	Main application log (API requests, service operations)
`rppam-audit-YYYYMMDD.log`	Audit events (logins, grants, revocations, admin actions)
`rppam-module-YYYYMMDD.log`	Module-specific operations (AD, SSH, database connections)
`rppam-error-YYYYMMDD.log`	Errors and exceptions only (subset of main log)

Logs are rotated daily. By default, RP-PAM retains 30 days of logs. This is configurable in rppam.config:

{
  "logging": {
    "retentionDays": 30,
    "maxFileSizeMb": 100,
    "minimumLevel": "Information"
  }
}

Log Format (CLEF JSON)¶

Each log line is a self-contained JSON object:

{
  "@t": "2026-04-07T14:30:00.1234567Z",
  "@mt": "Access grant {GrantId} created for user {UserId} on resource {ResourceId}",
  "@l": "Information",
  "GrantId": "abc123",
  "UserId": "user-456",
  "ResourceId": "res-789",
  "SourceContext": "Ravenphyre.RpPam.Core.Services.GrantService",
  "RequestId": "req-001",
  "TraceId": "trace-xyz"
}

Key Fields¶

Field	Description
`@t`	Timestamp in UTC (ISO 8601)
`@mt`	Message template (structured log message)
`@l`	Log level: `Verbose`, `Debug`, `Information`, `Warning`, `Error`, `Fatal`
`@x`	Exception details (present only when an exception occurred)
`SourceContext`	The class/service that produced the log entry
`RequestId`	Correlation ID for the HTTP request
`TraceId`	Distributed trace ID (for HA deployments)

Querying Logs¶

Because logs are JSON, you can use standard tools to filter them:

PowerShell — Find errors in the last day:

$today = Get-Date -Format "yyyyMMdd"
Get-Content "C:\ProgramData\Ravenphyre\RP-PAM\Logs\rppam-$today.log" |
    ConvertFrom-Json |
    Where-Object { $_.'@l' -eq 'Error' } |
    Format-Table '@t', '@mt' -AutoSize

Linux — Find errors with jq:

cat /var/log/rppam/rppam-$(date +%Y%m%d).log | \
  jq 'select(.["@l"] == "Error") | {time: .["@t"], message: .["@mt"]}'

Docker:

docker logs rppam --since 1h 2>&1 | \
  jq 'select(.["@l"] == "Error")'

Collecting Logs for Support¶

When opening a support ticket, include logs from the relevant time period. Here is how to collect them for each platform.

Windows — Using Compress-Archive¶

# Collect the last 3 days of logs
$cutoff = (Get-Date).AddDays(-3).ToString("yyyyMMdd")
$logDir = "C:\ProgramData\Ravenphyre\RP-PAM\Logs"
$outputZip = "C:\Temp\rppam-logs-$(Get-Date -Format 'yyyyMMdd-HHmmss').zip"

# Get matching log files
$files = Get-ChildItem -Path $logDir -Filter "rppam-*.log" |
    Where-Object { $_.BaseName -replace '.*-(\d{8}).*','$1' -ge $cutoff }

# Compress
Compress-Archive -Path $files.FullName -DestinationPath $outputZip

Write-Host "Logs collected: $outputZip"
Write-Host "Size: $([math]::Round((Get-Item $outputZip).Length / 1MB, 2)) MB"

Quick one-liner (last 24 hours):

$today = Get-Date -Format "yyyyMMdd"
Compress-Archive -Path "C:\ProgramData\Ravenphyre\RP-PAM\Logs\rppam-$today*.log" `
    -DestinationPath "C:\Temp\rppam-logs.zip"

Linux — Using tar¶

# Collect the last 3 days of logs
sudo tar czf /tmp/rppam-logs-$(date +%Y%m%d-%H%M%S).tar.gz \
  $(find /var/log/rppam -name "rppam-*.log" -mtime -3)

echo "Logs collected: /tmp/rppam-logs-*.tar.gz"
ls -lh /tmp/rppam-logs-*.tar.gz

Quick one-liner (today only):

sudo tar czf /tmp/rppam-logs.tar.gz /var/log/rppam/rppam-$(date +%Y%m%d)*.log

Docker — Using docker logs¶

# Export container logs to a file
docker logs rppam --since 72h > /tmp/rppam-container-logs.txt 2>&1

# If you also mount a log volume, include those:
docker cp rppam:/var/log/rppam/ /tmp/rppam-logs/
tar czf /tmp/rppam-logs-docker.tar.gz /tmp/rppam-logs/ /tmp/rppam-container-logs.txt

What to Include in Support Tickets¶

When contacting Ravenphyre support, include:

Item	How to Obtain
Organization name	Your company name and RP-PAM license ID
RP-PAM version	`curl http://localhost:7101/system/health/ping` or check the portal footer
Platform	Windows Server version, Linux distro + version, or Docker image tag
Database engine	PostgreSQL version or MSSQL version
Description	Clear description of the issue, including when it started
Steps to reproduce	If applicable, exact steps to trigger the issue
Log files	Compressed logs from the time period of the issue (see above)
Screenshots	Portal screenshots if the issue is visual
Configuration	Relevant sections of `rppam.config` (redact passwords and keys)

Important: Before sending configuration files, redact all passwords, connection strings, and encryption keys. Replace sensitive values with [REDACTED].

Adjusting Log Levels¶

If support asks you to increase the log level for diagnosis:

Edit rppam.config and change the minimum level:

{
  "logging": {
    "minimumLevel": "Debug"
  }
}

Level	Use Case
`Information`	Default — normal operations
`Debug`	Detailed diagnostic information
`Verbose`	Maximum detail (generates large log volumes)

After changing the level, restart the service:

Windows:

Restart-Service -Name "RpPam"

Linux:

sudo systemctl restart rppam

Remember: Set the level back to Information after diagnosis is complete. Debug and Verbose levels generate significantly more data and can impact disk usage.

Troubleshooting¶

Problem	Cause	Solution
No log files created	Service not running or log directory permissions	Verify the service is running; check directory permissions
Logs are empty	Minimum level set too high	Set `minimumLevel` to `Information` or lower
Disk filling up with logs	Retention too long or level too verbose	Reduce `retentionDays` or set level to `Information`
Cannot parse log JSON	Log file corrupted (partial write during crash)	Skip malformed lines; the last line may be incomplete

Next Steps¶

SIEM Integration — Forward logs to your SIEM platform
General Troubleshooting — Common issues and solutions
Support Contact — How to reach Ravenphyre support