Mapping ccg logs to events/account activities

I’ve been trying to troubleshoot some intermittent errors in our environment. I can find the errors in account activity/event logs easily enough in IdentityNow, and I’m then trying to map the end-to-end flow of this activity - i.e., when the request was added to the VA queue, when it was picked up by the VA, what happened on the VA, when the VA responded, etc.

However, what I’m finding is that trying to find the ccg log entries for a particular event or account activity is really not easy, especially when the VA is processing multiple requests simultaneously. So far the best approach I’ve found is:

  • find something unique about that particular event (an error message, the account id, or something) to try to find a single log entry for that event
  • find the thread that is running on
  • filter the ccg log to only show that thread
  • view those logs

It’s still a bit of a pain though and not really reliable as I have quite a few times ended up following the wrong log thread.
I’m wondering though, from the developer community, if anyone else has any better approach to mapping ccg logs to events for troubleshooting purposes? How does the SailPoint support team do it? (I’ve also noticed them in some support tickets in the past looking at the wrong log entries so I don’t believe they have a foolproof solution for it). Is there a simple approach I’m just missing? Or is it actually as painful for everyone else as it is for me?

I’ve also created this idea to add the account activity/event id in the logs:
https://ideas.sailpoint.com/ideas/GOV-I-2689
If nobody comes up with a simple solution please vote for it :slight_smile:

:thinking:
No response = there’s no reasonable way to troubleshoot provisioning activities with the ccg logs?

So I guess no answer, means it’s actually not possible :frowning:

We sunk quite a bit of time trying to figure out how to pipe CCG logs into Splunk so we could analyze the data better and could not get it to work. What we have most recently done to troubleshoot is set up a debug VA that only has one source mapped to it so when we need to troubleshoot logs at least all the logs are isolated to that source. Not foolproof, but it helps

Regarding Splunk, I did investigate this in the past. Log4j natively supports syslog so you should be able to configure log4j.properties to point it to a Splunk syslog server. The only issue is that SailPoint will overwrite the log4j.properties automatically.

I had raised a case with SailPoint in the past to see if there was any possibility of preventing this but didn’t get the outcome I was hoping for so I didn’t progress it much further.

Anyway it sounds like everyone has the same issue as me - so I guess I’ll give up on this one and just push the idea I’ve raised.

In my opinion make a post on the ideas portal… I think you would have at least 3 votes :slight_smile:

I already did:
https://ideas.sailpoint.com/ideas/GOV-I-2689

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.