000030219 - How to turn on debug logging for RSA Identity Governance & Lifecycle AFX connectors in 7.0.1 and higher

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 27, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000030219
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x
IssueDebug logging is extremely useful and informative for troubleshooting RSA Identity Governance & Lifecycle AFX connectors. This article describes the steps to enable AFX connector debug logging in RSA Identity Governance & Lifecycle version 7.0.1 and higher.

There is quite a bit of logging output into the following AFX logs but it generally does not provide the level of detail required to troubleshoot a specific AFX connector. These logs are:
  • $AFX_HOME/esb/logs/mule_ee.log
  • $AFX_HOME/esb/logs/esb.AFX-MAIN.log
Log output for connector-specific issues is logged to a connector-specific AFX log file of the format:
 
$AFX_HOME/esb/logs/esb.AFX-CONN-<connector_name>.log


The information logged to these connector-specific log files can be very useful when troubleshooting specific AFX connector issues. The amount of logging that is written to these connector-specific logs is controlled by two flags: INFO and DEBUG. By default the INFO flag is enabled. To log additional data to a connector-specific log file, the DEBUG flag can be enabled. 

 


NOTE: The connector_name is the name of the connector which correlates to a name column in an internal database table. This name may or may not be the same as the display name seen in the RSA Identity Governance & Lifecycle user interface under AFX > Connectors
Resolution
To enable connector-specific debug logging, perform the following steps as the afx user.  In this example, the display name of the connector name is Active Directory Connector and the name of the connector log file is $AFX_HOME/esb/logs/esb.AFX-CONN-Active_DirectoryConnector.log.


  1. Edit the $AFX_HOME/esb/apps/AFX-CONN-<connector_name>/classes/log4j.xml file to change the log level from INFO to DEBUG. In this example the filename is: $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/classes/log4j.xml.


cd $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/classes
vi log4j.xml


  1. Edit the .xml using the following syntax: 


<logger name="org.mule.api.processor.LoggerMessageProcessor"> 
<!-- <level value="INFO"/> --> 
<level value="DEBUG"/> 
</logger>


  1. For the changes to take effect immediately, touch the file $AFX_HOME/esb/apps/AFX-CONN-<connector_name>/mule-config.xml file. In this example the file location is: $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/mule-config.xml.


cd $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector
touch mule-config.xml


WARNING: Do NOT restart the AFX server or edit the AFX connector in the RSA Identity Governance & Lifecycle user interface, as these actions will override the debug settings just made. 



  1. The next time you use the connector (or test the connector capabilities), you will see the debug output in the $AFX_home/esb/logs/esb.AFX-CONN-<connector_name>.log. For example, $AFX_HOME/esb/logs/esb.AFX-CONN-Active_DirectoryConnector.log.

To enable debug logging pre-7.0.1, please see RSA Knowledge Base Article  000033429 -- How to turn on debug logging for RSA Identity Governance & Lifecycle AFX connectors in 7.0.0, 6.9.1 and 6.8.1.
NotesHere is an example of adding an account to an AD group with debug enabled.

019-10-21 15:13:28.327 [DEBUG] org.mule.api.processor.LoggerMessageProcessor:121 - XML Payload from JMS:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Envelope xmlns="http://aveksa.com/afx/messages/primary">
    <Header>
        <version>1.0</version>
        <appid>ACM</appid>
        <crid>13</crid>
        <type>response</type>
        <callback>NA</callback>
        <afxid>66132122-4890-4fa0-93f7-d9f11b7c1898</afxid>
        <async-callback>false</async-callback>
        <async-callback-url>http://localhost:8089/callback/66132122-4890-4fa0-93f7-d9f11b7c1898</async-callback-url>
        <testmessage>false</testmessage>
    </Header>
    <Body>
        <Request timestamp="2019-10-21T15:13:20.674-04:00" id="1">
            <epid>Active_DirectoryConnector</epid>
            <verb name="AddAccountToGroup">
                <parameters>
                    <parameter name="Account">CN=Book\, Rita,OU=SE,OU=vcloud Users,DC=2k8r2-vcloud,DC=local</parameter>
                    <parameter name="Group">CN=G1,OU=vcloud Users,DC=2k8r2-vcloud,DC=local</parameter>
                </parameters>
            </verb>
            <Response timestamp="2019-10-21T15:13:28.299-04:00">
                <status>
                    <code>0</code>
                    <brief>Success</brief>
                    <detailed></detailed>
                </status>
            </Response>
        </Request>
    </Body>
</Envelope>


 

Attachments

    Outcomes