Working with Log Sinks and Debug Logs
This topic describes the procedures for common scenarios involving log sinks and debug logs for the .
This topic describes the procedures for common scenarios involving log sinks and debug logs for the
IMPORTANT:Avoid creating too many log sinks, as this affects Gateway performance. CA Technologies recommends no more than three log sinks for best performance. Any detailed filtering should be handled by external systems.
Creating and Using a Custom Log sink
To create a log sink for all messages from a custom logger:
- Run the Manage Log/Audit Sinks task and create a new log sink.
- Complete the properties for the log sink:
- In theBase Settingstab, define at least one filter:Filter Type:CategoryFilter Details:SelectGateway Log
- Define another filter:Filter Type:PackageFilter Details:Enter the name of your custom logger:com.l7tech.log.custom.<customLoggerName>Make note of the<customLoggerName>string.
- Configure an Add Audit Detail Assertion for your custom logger.
- Set theCategorytoLog. This directs the log messages to the log system.
- Select theCustom logger namecheck box.
- Enter your<customLoggerName>string in the field followingcom.l7tech.log.custom.
- Select an appropriateLevelfor the logging.
During policy execution, audit details are sent to the log sink for the specified custom logger.
Creating Log Sink for Service(s)
To create a log sink for all messages from a service:
- Use the Manage Log/Audit Sinks task to create a new log sink that filters by one or more services.
During policy execution, only messages related to the selected services are sent to the log sink.
Debugging a Client IP
To create a log sink for all messages from a client IP:
- Use the Manage Log/Audit Sinks task to create a new log sink that filters by a specific client IP address.
- In the Log Sink Properties, set the severity threshold to FINE.
- Set the severity level for the appropriate package to FINE in thelog.levelscluster property for the appropriate loggers—for example, "<packageName>.level=FINE". For assistance with package names, contact CA Support.
During policy execution, only messages related to the specified client IP address are sent to the log sink.
To enable SSL/TLS debug for an HTTPS listen port:
- Set theio.debugSslcluster property to "true" to enable SSL/TLS debugging globally.The SSL/TLS debugging for all the Java security JCE providers might not be enabled by setting theio.debugSslcluster-wide property to "true". Instead, definejavax.net.debugproperty with the appropriate level (example,ssl, all, and so on) in the system.properties file of Gateway.Do not to use the levelhelp, as it causes some providers to terminate the JVM.
- Set thelog.stdoutLevelcluster property to FINE.
- Update thelog.levelscluster property to include the line STDOUT.level=FINE.
- Use the properties:
- Severity Threshold:FINE
- Filter Type =Category, Filter Details =Gateway Log
- Filter Type =Package, Filter Details =STDOUT
- Restart the Gateway.
- Verify debug is working by consuming a service using an HTTPS Listen Port.
During policy execution, the SSL/TLS output related to the consumption is sent only to the configured log sink. (This assumes that no other log sinks are currently configured to allow "FINE" messages.)
If debug trace logging has been enabled for HTTP(S), be aware that this can log passwords, including passwords used to log in to the Policy Manager. Use this capability with caution. For assistance on enabling debug trace logging in HTTP(S), please contact CA Support.