Application logs

Providers of OpenFin applications can have unique, separate logs for each application. App providers can retrieve these logs for later use. When this feature is enabled, anything that the app writes to the console goes to a separate folder and log file in the OpenFin installation directory. With OpenFin app log management, app providers can encrypt and deliver their logs to a remote location managed by OpenFin. Log owners are able to download and decrypt their logs with a private key via OpenFin’s Log Manager API .

How it works

When an app outputs message to the console, that message is written to a log file in the RVM’s installation directory, in the app’s subfolder.

Examples: console.log,, console.warn, console.error

  • Enable app log management in your app manifest: (JSON)
  "licenseKey": "contract_identifier",
  "startup_app": {
    "enableAppLogging": true,
    "logManagement": {
      "enabled": true, 
  • Console output is queued by the runtime and written periodically to a log file by the RVM.

  • When the application closes, the RVM compresses the most recent app log file and places it in an archive folder in the app’s subfolder under the RVM’s installation directory; it then uploads the compressed file to the log manager server.

  • Alternatively, logs can be sent on demand via the runtime API sendApplicationLog (available in runtime 10+) (RVM 4.6+)

  • (Optional) Logs can be associated with a developer-specified username in order to retrieve app logs by a specific username using the setAppLogUsername runtime API (RVM 4.6+, Runtime If a username is set, logs for the session can be retrieved by username via the Log Management Service.


Log management requires RVM and a valid OpenFin licenseKey.

Sample app manifest to enable log management: (JSON)

  "licenseKey": "valid_license_key",
  "runtime": {
    "version": ""
  "startup_app": {
    "name": "MyApp",
    "uuid": "33aa9062-9eb0-4875-b819-c90f38ef03ea",
    "url": "http://localhost:8000/index.html",
    "autoShow": true,
    "defaultWidth": 500,
    "defaultHeight": 500,
    "enableAppLogging": true,
    "logManagement": {
      "enabled": true,
      "encryptionKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxgwkcjRyJlC8kqcUEFKgX+krQBzi7Vq8wppBmIdGRZw1u89z33PfgzPbls8PoOvR7y5e21RgDMCWQA82iIPl0S0EVuTh2KaAd+t/H5uad/P+7WWKOzPBLXGJ8F3wh+DArblDEwe4E4QTYqBgVK3w7+ImI2T+AwGN900jM73uE2D5qUlGMgbtejEd+QF990hoPGP9wc4Uwx2Unn6354eTZQCJmJFQ5lQRFKGrWvP+k3/2Z7rrYvuuA/0uadqWuiJYVlMDrtcWgEfO7JWIl0zMi8g63OkewnSqV8m2JJxyCN1YVUBHvKkLxBne5nAAxKC/Ud3DlOtLLTm1VevcM4P7YQIDAQAB"


All logs are stored on AWS S3 in the us-east-1 region replicated in multiple zones and us-west-1 for increased availability. Data in S3 is encrypted by Amazon. If encryption is enabled, a private key set by the desktop is required to view the logs in human-readable form. OpenFin never deletes the logs; only the customer deletes logs.

API keys

Please contact [email protected] to get an API key.


To encrypt application logs, the App Provider needs to create a public and private RSA key pair, and supply the public key in the app manifest as the startup_app.logManagement.encryptionKey property, encoded in base64.

The following procedure is followed for encryption of the zipped log file:

  1. An AES-256-CBC key K and initialization vector IV are randomly generated.

  2. K and IV are used to encrypt the file, resulting in the ciphertext C_F.

  3. K and IV are encrypted with the user’s RSA public key using RSAES-OAEP with SHA-1, resulting in the encrypted key C_K, and encrypted initialization vector C_IV.

  4. C_F, C_K, and C_IV are uploaded to the log manager.

The decryption process is as follows:

  1. C_F, C_K, and C_IV are retrieved from the log manager with a GET request.

  2. C_K and C_IV are decrypted with the user’s RSA private key, giving the decrypted K and IV.

  3. K and IV are used to decrypt C_F, giving the decrypted file.

Encryption workflow

Diagram illustrating encryption workflow

Decryption workflow

Diagram illustrating decryption workflow