Technical Tip: NACDebug logger types

ebilcari · ‎05-11-2023

Description

This article describes how to use nacdebug logger types. Debug logger commands are used for listing loggers and setting their log levels.

Scope

FortiNAC v9.x.

Solution

Any specific logger can be enabled in the desired level with the following command:

nacdebug -logger org.apache.sshd -level xxxx

Valid log levels include:

SEVERE.
WARNING.
INFO.
CONFIG.
FINE.
FINER.
FINEST

To check all the available loggers and their status:

nacdebug -loggers

To disable the logger:

nacdebug -logger org.apache.sshd

For example:

nacdebug -logger org.apache.sshd -level FINEST

output.master logs example:

org.apache.sshd.client.SshClient FINEST :: 2023-05-07 17:10:30:729 :: #884 :: addSessionListener(SshClient[64a7e2be])[org.apache.sshd.common.session.helpers.SessionTimeoutListener@1136e0eb] registered
org.apache.sshd.common.util.threads.SshdThreadFactory FINEST :: 2023-05-07 17:10:30:729 :: #884 :: newThread(java.lang.ThreadGroup[name=ORB ThreadGroup 0,maxpri=10])[sshd-SshClient[64a7e2be]-timer-thread-1] runnable=java.util.concurrent.ThreadPoolExecutor$Worker@25254f50[State = -1, empty queue]
org.apache.sshd.common.io.nio2.Nio2Connector FINEST :: 2023-05-07 17:10:30:729 :: #884 :: Creating Nio2Connector
org.apache.sshd.client.config.hosts.DefaultConfigFileHostEntryResolver FINE :: 2023-05-07 17:10:30:730 :: #884 :: resolveEffectiveHost(fortinac@10.0.0.1:22) => null
org.apache.sshd.client.SshClient FINE :: 2023-05-07 17:10:30:730 :: #884 :: connect(fortinac@10.0.0.1:22) no overrides
org.apache.sshd.common.io.nio2.Nio2Connector FINE :: 2023-05-07 17:10:30:730 :: #884 :: Connecting to /10.0.0.1:22
org.apache.sshd.common.io.nio2.Nio2Connector FINE :: 2023-05-07 17:10:30:730 :: #884 :: setOption(SO_REUSEADDR)[true] from property=socket-reuseaddr

There are loggers for master and nessus, meaning the appropriate log file should be checked.

Restarting the VM will restore these values to default:

nacdebug -loggers | grep -v INHERITED
loaderName loggerName loggerLevel
____________ ____________________________ ___________
MasterLoader '' INFO
MasterLoader net.sf.ehcache SEVERE
MasterLoader org.hibernate SEVERE
MasterLoader org.snmp4j WARNING
Nessus '' INFO
Nessus org.hibernate SEVERE

To enabling debug logging in a plugin, specify it by name as follows:

nacdebug -name DirectoryAuthentication true
Setting DirectoryAuthentication debug to true

The following command will also enable one or more loggers:

nacdebug -loggers | grep -v INHERITED
loaderName loggerName loggerLevel
____________ ____________________________ ___________
MasterLoader yams.DirectoryAuthentication FINER

Other examples of loggers:

Information for licensing (entitlementstool):

nacdebug -logger yams.FCPClient -level FINEST

tf output.master
yams.FCPClient FINE :: 2023-07-24 09:51:13:560 :: #847 :: HTTP/1.1 200 OK
yams.FCPClient FINE :: 2023-07-24 09:51:13:560 :: #847 :: FCPPackage [objects=[FCPObject [encryptedData=[80, ...

Radius log detailed for a specific MAC address:

nacdebug -logger 'yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine' -level FINE

tf output.master
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:814 :: #484 :: [Post-Auth] Process Started (16 attrs): nasIPAddr=10.0.0.1, srcIPAddr=192.168.1.102
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:815 :: #484 :: Device found for NAS-IP-Address [10.0.0.1]: ManagedElem: gw.eb.eu (10.0.0.1) [ID=32]

...
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINER :: 2023-11-06 12:00:37:821 :: #484 :: RadiusServer.getWiredPort: (gw.eb.eu/10.0.0.1) S108Exxxx:port4

...

yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINEST :: 2023-11-06 12:00:37:843 :: #484 :: Response attrs = {Tunnel-Type=[VLAN] (RadAttr), Tunnel-Private-Group-Id=[532] (RadAttr), Tunnel-Medium-Type=[IEEE-802] (RadAttr)}
...
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:843 :: #484 :: Parse RFC5176 Attrs: attrList = 1,31
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:843 :: #484 :: Parse RFC5176 Attrs: client = 00:0A:CD:38:B5:CD
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:845 :: #484 :: Parse RFC5176 Attrs: saving attr [1] (User-Name) = gimi
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:847 :: #484 :: Parse RFC5176 Attrs: saving attr [31] (Calling-Station-Id) = 00-0A-CD-38-B5-CD (building CoA attributes)
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:847 :: #484 :: Adding client update to queue for client 00:0A:CD:38:B5:CD
yams.RadiusAccess.00:0A:CD:38:B5:CD.RadiusAccessEngine FINE :: 2023-11-06 12:00:37:847 :: #484 :: [Post-Auth] Returns: [Access-Accept]

The following is an example of integration with a Security Fabric (Connection) and the CFS process (Cooperative Security Fabric), which can be used to troubleshoot FortiNAC tags and dynamic addresses:

nacdebug -logger yams.fortinet.csf -level FINEST

yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:031 :: #1395 :: ##send_hello()
yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:031 :: #1395 :: >>> (/10.0.0.1:8013) decoded = CSFPacket [type=MSG_HELLO, stat=QUERY_SUCCESS, ttl=1, qid=22334477, data len = 58]
yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:031 :: #1395 :: <<< (/10.0.0.1:8013) encoded = 010001223344770000003a00000049464e564d4341544d32333030313638350000000000666e6163000000000000000000000000000000000000000000000000000000000000000000
yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:032 :: #1395 :: <<< (/10.0.0.1:8013) encoded = 010001223344770000003a000000494647564d3031544d3233303032383237000000000047570000000000000000000000000000000000000000000000000000000000000000000000
yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:032 :: #1395 :: process_packet() from = /10.0.0.1:8013 type = MSG_HELLO, stat = QUERY_SUCCESS, path_len = 58
yams.fortinet.csf FINEST :: 2023-08-21 15:41:18:032 :: #1395 :: ##process_hello() /10.0.0.1:8013