This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

How to turn on debug logging to troubleshoot AFX connectors in versions 7.0.1 through 7.5.0 of RSA Identity Governance & Lifecycle

Article Number

000053328

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x, 7.2.x, 7.5.0

Issue

Debug logging is extremely useful and informative for troubleshooting RSA Identity Governance & Lifecycle AFX connectors. This article describes the steps to enable AFX connector debug logging in RSA Identity Governance & Lifecycle version 7.0.1 and higher.

There is quite a bit of logging output into the following AFX logs but it generally does not provide the level of detail required to troubleshoot a specific AFX connector. These logs are:
  • $AFX_HOME/esb/logs/mule_ee.log
  • $AFX_HOME/esb/logs/esb.AFX-MAIN.log
Log output for connector-specific issues is logged to a connector-specific AFX log file of the format:
 
$AFX_HOME/esb/logs/esb.AFX-CONN-<connector_name>.log

The information logged to these connector-specific log files can be very useful when troubleshooting specific AFX connector issues. The amount of logging that is written to these connector-specific logs is controlled by two flags: INFO and DEBUG. By default the INFO flag is enabled. To log additional data to a connector-specific log file, the DEBUG flag can be enabled. 
 
NOTE: The connector_name is the name of the connector which correlates to a name column in an internal database table. This name may or may not be the same as the display name seen in the RSA Identity Governance & Lifecycle user interface under AFX > Connectors

Resolution

To enable connector-specific debug logging, perform the following steps as the afx user.  In this example, the display name of the connector name is Active Directory Connector and the name of the connector log file is $AFX_HOME/esb/logs/esb.AFX-CONN-Active_DirectoryConnector.log.
  1. Edit the $AFX_HOME/esb/apps/AFX-CONN-<connector_name>/classes/log4j.xml file to change the log level from INFO to DEBUG. In this example the filename is: $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/classes/log4j.xml.

cd $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/classes
vi log4j.xml
  1. Edit the .xml using the following syntax: 

<logger name="org.mule.api.processor.LoggerMessageProcessor"> 
<!-- <level value="INFO"/> --> 
<level value="DEBUG"/> 
</logger>
  1. For the changes to take effect immediately, touch the file $AFX_HOME/esb/apps/AFX-CONN-<connector_name>/mule-config.xml file. In this example the file location is: $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector/mule-config.xml.

cd $AFX_HOME/esb/apps/AFX-CONN-Active_DirectoryConnector
touch mule-config.xml

WARNING: Do NOT restart the AFX server or edit the AFX connector in the RSA Identity Governance & Lifecycle user interface, as these actions will override the debug settings just made. 

  1. The next time you use the connector (or test the connector capabilities), you will see the debug output in the $AFX_home/esb/logs/esb.AFX-CONN-<connector_name>.log. For example, $AFX_HOME/esb/logs/esb.AFX-CONN-Active_DirectoryConnector.log.

To enable debug logging pre-7.0.1, please see RSA Knowledge Base Article 000033429 -- How to turn on debug logging to troubleshoot AFX connectors in versions 7.0.0, 6.9.1 and 6.8.1 of RSA Identity Governance & Lifecycle.

To enable debug logging in 7.5.2, please see RSA Knowledge Base Article 000068052 - How to turn on debug logging to troubleshoot AFX connectors in version 7.5.2 of RSA Governance & Lifecycle

Notes

Here is an example of adding an account to an AD group with debug enabled. 

019-10-21 15:13:28.327 [DEBUG] org.mule.api.processor.LoggerMessageProcessor:121 - XML Payload from JMS: 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Envelope xmlns="http://aveksa.com/afx/messages/primary">
    <Header>
        <version>1.0</version>
        <appid>ACM</appid>
        <crid>13</crid>
        <type>response</type>
        <callback>NA</callback>
        <afxid>66132122-4890-4fa0-93f7-d9f11b7c1898</afxid>
        <async-callback>false</async-callback>
        <async-callback-url>http://localhost:8089/callback/66132122-4890-4fa0-93f7-d9f11b7c1898</async-callback-url>
        <testmessage>false</testmessage>
    </Header>
    <Body>
        <Request timestamp="2019-10-21T15:13:20.674-04:00" id="1">
            <epid>Active_DirectoryConnector</epid>
            <verb name="AddAccountToGroup">
                <parameters>
                    <parameter name="Account">CN=Book\, Rita,OU=SE,OU=vcloud Users,DC=2k8r2-vcloud,DC=local</parameter>
                    <parameter name="Group">CN=G1,OU=vcloud Users,DC=2k8r2-vcloud,DC=local</parameter>
                </parameters>
            </verb>
            <Response timestamp="2019-10-21T15:13:28.299-04:00">
                <status>
                    <code>0</code>
                    <brief>Success</brief>
                    <detailed></detailed>
                </status>
            </Response>
        </Request>
    </Body>
</Envelope>

 
Tags (71)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-01-17 02:41 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.