What is the correct way of debugging connector rules


We are trying to write a before rule for web service connector. where we have written initial code and code does not through any error but it does not solve the purpose of writing rule as well.
So in order to proceed further, We need to check the logs. Can someone help where does the logs from rules gets printed and do we need sailpoint support for checking these logs?

The logs for connector rules should be in ccg.log, which you can find on your VA at /home/sailpoint/log.

We have enabled debugging in VA cluster and also printing logs using log.debug
but we are not able to see any logs getting printed in ccg.log files. We have 2 VAs in lower environment and we have checked on both the VAs

We have even tried log.error but we do not see any logs getting printed from our rule

Hi @pkgupta1 ,

The first thing you need to ensure is to patch the rule to the HTTP operation that you wrote it for. (Ex : Aggregation, Create Account). You can do the patch using the below API call.

PATCH - {{api-url}}/beta/sources/{external-id of the source}



    "op": "replace",

    "path": "/connectorAttributes/connectionParameters/{operation_index_value}/beforeRule",

    "value": "{rule_name}"



To print logs from your rule, you must enable the connector based logging by modifying the “/home/log/log4j2.properties” file in your VA and append the connector based logging statements.
You can find the statements in the document below :

For whichever source you’re rule is patched to, append that connector’s logging statements from the document to the log4j2.properties file. The steps are as below:

  • Stop ccg service in your VA

  • Append the connector logging statements in your log4j2.properties file and save it

  • start the VA again (Note : Do not restart your VA since the latest modifications to log4j will be lost)

I think this should help your requirement. Let me know if this helps.


Hi @Arshad ,

Thanks for your response. We have already patched the rule to add entitlement operation with the connector. and we can see it is being called as well, we initally had the errors in code and in request center we could see the rule errors shown over there. now rule does not have any errors but logic might be wrong so due to that there is no error coming in the request.
We are using the default log object that is available for the all rules in ldentityNow. Do we still need to do this activity or enabling the logs for connector and then specifying our own custom loggers.
Also if we enable debugging on the VA cluster should not it supposed to print the default logger statements as well?

Ideally printing the default logging statements & “Enable debugging” should work, but for some reason I too faced the same issue of logs not being generated. It’s better if you use connector based logging statements in your “/home/log/log4j2.properties”.

For me, adding connector based logging statements worked and I could print and see all my logs in the ccg.log file. Try and let me know if it helps?


Hi @Arshad

Do you know if we can add this via the apis directly or the files needs to be modified. Trying to avoid the server restart since it would required the approval for me.

@pkgupta1 ,

I usually do it directly from the VA. I found it the easiest. However, you can do it using REST APIs and the information is present in the document above with heading
“Update Logging Config”


I believe only logs messages with Info level or higher are captured in the ccg.log file by default. As suggested above, changing the log level is probably the best approach.

You’re right @david_cline.
Also, I usually change the log level to error in “log4j2.properties” for the source and printed all the my log statements as error messages.

Hi @david_cline and @Arshad ,
We are already using log.error the highest logger level after Fatal.
So that should get printed right?
but the thing is even after enabling the debugging on VA cluster it is not getting printed.

Hi @pkgupta1 ,

Try removing the default web service connector logging statements that you’ve updated earlier and please try using the below in your log4j2.properties :


use log.error(“your message”) in your rule to print the logs.

Ensure that you’re stopping your CCG before editing the log4j2.properties file. Once pasting the above 4 lines, save it and start your CCG. (Do not restart the CCG, only start it because the changes made earlier will be lost upon restart).

Let me know if this helps and prints out your log statements? Also, ensure that your web services operation is being triggered for the logs to be printed.

1 Like

Hi @pkgupta1,

I’m not sure whether this is still an issue for you, but I’ve done some testing of adding and modifying connector logging on the Virtual Appliances by modifying the /home/log/log4j2.properties file as recommended on the https://community.sailpoint.com/t5/IdentityNow-Articles/Enabling-Connector-Logging-in-IdentityNow/ta-p/188107 page and I’ve found that when you modify this file as suggested and then turn on debugging via the IdentityNow GUI, the properties file is deleted and replaced with a new one, clearing any changes you have made. It is turning the debugging on or off that performs this action. If you enable debugging first, then stop the service, modify the file and start the service again, your changes will stay in place until you disable debugging again.

I haven’t yet tested whether modifying the logging properties via the API results in the same behaviour.

Hope that helps.

1 Like

Hi All,

Were you able to print the custom logs, can someone please share the sample code to print the logs.


@nitin_m_jain ,

In your connector code, make sure to import the logger libraries. Also, as mentioned previously, log level info and higher is printed by default. If you want lower log levels, like debug and trace to show in your ccg.log file, you will need to modify your log4j2.properties file as mentioned previously. Please see below for sample connector code with logging statements.

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.core.config.Configurator;

import connector.common.Util;

log.info("Entering GuruBeforeOperationRule");

log.info("Listing Variables passed to Beanshell namespace:");

// BeanShell has a "this.variables" array that we can access.
for (int i = 0 ; i < this.variables.length ; i++) {
   String varName = this.variables[i];
   Object varValue = null;
   try {
      if ("transient".equals(varName))
         varValue = "[reserved word]";
         varValue = eval(varName);
   } catch (Exception ex) {
      varValue = "[eval exception]";

   String varClass = "void";
   if ((void != varValue) && (null != varValue))
      varClass = varValue.getClass().getSimpleName();

   if (void == varValue)
       log.info(varName + " = void");
   else if (null == varValue)
       log.info(varName + " = null");
       log.info(varName + ": " + varClass + " = " + varValue);

Map tMap = (Map) application.getAttributeValue("transientValues");
if(null != tMap) {
  String nextLink = tMap.get("nextLink");
  log.info("nextLink : " + nextLink);
  if(!Util.isEmpty(nextLink)) {
    log.info("Full url is now: " + requestEndPoint.getFullUrl());
log.info("Leaving GuruBeforeOperationRule: " + requestEndPoint);
return requestEndPoint;

Hi Colin,

Thanks for the reply, I added log.info in my code but still logs are not printing in the ccg log file. I have not made any changes in log4j2.properties file.
Please let me know if I am missing something.


From my experience, log.error comes without doing anything.

Also code snipper shared by Collin has some imports around loggers which are not required at all. log object is available by default and it would be available without defining or importing any package.