CA API Gateway 9.1

9.4 9.1

Working with Log Sinks and Debug Logs

This topic describes the procedures for common scenarios involving log sinks and debug logs.
gateway83
This topic describes the procedures for common scenarios involving log sinks and debug logs.
2
IMPORTANT:
 Avoid creating too many log sinks, as this affects Gateway performance. CA Technologies recommends no more than three log sinks for best performance. Andy detailed filtering should be handled by external systems.
Creating Log Sink for Custom Logger
To create a log sink for all messages from a custom logger:
  1. Configure an Add Audit Detail Assertion with the
    "<customLoggerName>"
     in the
    Custom logger name
     field.
    • Make note of the
      Category
       (either
      Audit
       or
      Log
      ).
    • Make note of any custom logger name that is defined (for example, "com.l7tech.log.custom.
      <customLoggerName>
      ").
  2. Run the Manage Log/Audit Sinks task and create a new log sink.
  3. Complete the properties for the log sink. Mandatory:
    • In the
      Base Settings
       tab, define at least one filter:
      Filter Type:
      Category
      Filter Details:
       Select the category that matches the
      Category
       from the Add Audit Detail Assertion. Either
      Audits
       or one of the logs (
      Gateway Log
      ,
      Traffic Log
      ).
    • Optionally, define a filter of type
      Package
       for your custom logger
      com.l7tech.log.custom.<customLoggerName>
      .
During policy execution, audit details are sent only to the sink for the specified custom logger.
Creating Log Sink for Service(s)
 To create a log sink for all messages from a service:
During policy execution, only messages related to the selected services are sent to the log sink.
Debugging a Client IP
 To create a log sink for all messages from a client IP:
  1. Use the Manage Log/Audit Sinks task to create a new log sink that filters by a specific client IP address.
  2. In the Log Sink Properties, set the severity threshold to FINE.
  3. Set the severity level for the appropriate package to FINE in the
    log.levels
     cluster property for the appropriate loggers—for example, "<packageName>.level=FINE". Please contact CA Support for assistance with the package names.
During policy execution, only messages related to the specified client IP address are sent to the log sink.
Debugging SSL/TLS
To enable SSL/TLS debug for an HTTPS listen port:
  1. Set the
    io.debugSsl
     cluster property to "true" to enable SSL/TLS debugging globally.
  2. Set the
    log.stdoutLevel
     cluster property to FINE.
  3. Update the
    log.levels
     cluster property to include the line STDOUT.level=FINE.
  4. Use the Manage Log/Audit Sinks task to create a new log sink with these properties:
    • Severity Threshold:
      FINE
    • Filters:
      • Filter Type =
        Category
        , Filter Details =
        Gateway Log
      • Filter Type =
        Package
        , Filter Details =
        STDOUT
  5. Restart the Gateway.
  6. Verify debug is working by consuming a service using an HTTPS Listen Port
During policy execution, the SSL/TLS output related to the consumption is sent only to the configured log sink. (This assumes that no other log sinks are currently configured to allow "FINE" messages.)
If debug trace logging has been enabled for HTTP(S), be aware that this can log passwords, including passwords used to log in to the Policy Manager. Use this capability with caution. For assistance on enabling debug trace logging in HTTP(S), please contact CA Support. 

Content feedback and comments