How to obtain logs
There may be a number of processes involved in PolicyKit. The architecture is explained in more detail in the polkit(8) man page.
Unfortunately, there is no unified logging mechanism implemented in the framework itself. This implies the fact that there is no single config option to turn the logging on and observe the results in a predefined file. Instead, one needs to apply some actions to an individual PolicyKit process - depending on what symptoms or which part of the process needs to be examined.
Some signs of PolicyKit operation may be found in /var/log/auth.log, but if anything beside that is required (and in case of any PolicyKit issue probably will, as auth.log entries are rather brief) some extra actions need to be undertaken.
The PolicyKit implementation makes extensive use of GLib. That is also true for printing debug messages. Since version 2.32 the debug messages are disabled by default, some additional effort is required to enable them. For more details please see the GLib documentation.
In this case:
should enable the binaries to produce more verbose output.
polkitd provides the org.freedesktop.PolicyKit1 D-Bus service on the system message bus. It is started automatically by the D-Bus daemon on first request to the service. This is set up in /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service. To capture polkitd debug output the Exec= section of this file may be modified in the following way:
Exec=/bin/sh -c 'G_MESSAGES_DEBUG=all /usr/lib/policykit-1/polkitd > /tmp/polkitd.log 2>&1'
Killing the polkitd process with sudo killall polkitd or restarting the system should allow to capture all polkitd output in the /tmp/polkitd.log file.
The libpolkit-agent-1 of the framework in Ubuntu is implemented by the polkit-gnome-authentication-agent-1 process. It is autostarted on the desktop thanks to the following file: /etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop This could be modified in a manner similar to /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service, but a session restart would be required to reflect the changes to the file. A better solution may be to run:
killall -q polkit-gnome-authentication-agent-1 ; \ POLKIT_DEBUG=1 G_MESSAGES_DEBUG=all \ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 2>&1 \ > /tmp/polkit-gnome-authentication-agent-1.log &
This will stop the polkit-gnome-authentication-agent-1 process (if running) and restart it redirecting all output (including the desired debugging information) to /tmp/polkit-gnome-authentication-agent-1.log. Please note that there is another variable set in this case: POLKIT_DEBUG=1. This enables the full debugging output available in this section of the PolicyKit implementation.
Even more detailed output
If the amount of information provided by performing the above action is still insufficient rebuilding the policykit-1 package with the PAH_DEBUG define may prove useful.
The easiest way to make use of it is to uncomment its definition in the <polkit-source-code>/src/polkitagent/polkitagenthelperprivate.h file. This will make the debug logs very verbose and should provide enough information of any step undertaken by the authentication agent.