EEM Policy logging in AAI 24.4.0
Article ID: 432454
Updated On:
Products
Issue/Introduction
When troubleshooting EEM policies in version 24․4․0, you might need to view policy-related logging to see user policies (like ALLOWED/DENIED actions) ․ The com․termalabs․server․eem․EIAMServiceImpl logger is available in the config tool, but it lacks an option to set the logging level to TRACE ․
SYMPTOMS:
-
Inability to select TRACE level for EEM policy logging within the configuration tool
-
DEBUG logging level is overly verbose and lacks specific policy check information
IMPACT: Administrators cannot easily view ALLOWED/DENIED policy actions during troubleshooting without manual file modifications
Environment
AAI 24.4.0
Resolution
PREREQUISITES:
-
Access to the AAI configuration tool
-
Access to modify the log4j2․yml file
STEPS:
1․ INITIALIZE LOGGER IN CONFIG TOOL
Set com․termalabs․server․eem․EIAMServiceImpl to DEBUG (or another available level) in the config tool
EXPECTED: This action writes the logger entry into the log4j2․yml file
2․ MODIFY LOG LEVEL MANUALLY
Path: log4j2․yml
3․ RESTART APPLICATION
Restart the AAI service to apply the changes
EXPECTED: The system will now log TRACE level messages (e․g․, US=<user>: AC=<action>:RC=<resourceClass>: RN=<resourceName>: PO=<policy> ALLOWED/DENIED) NOTE: TRACE logging is very verbose; use only while actively troubleshooting
Note that this logging is very verbose and should only be set to TRACE or DEBUG for a limited time.
Additional Information
Defect DE183688 has been raised to allow you to configure this level of logging through the AAI configuration tool.
Feedback
