-
Title
How to Enable and Collect vastool Debug Logs in Safeguard Authentication Services (SAS) 7.0 -
Description
Safeguard Authentication Services (SAS) 7.0 introduces a new
vastool debugcapability that allows administrators to easily enable and disable enhanced debug logging for troubleshooting. This feature automatically configures system logging to capture vasd and related system debug output into a single log file, simplifying data collection for Support. -
Cause
Applies to
- Safeguard Authentication Services for Unix/Linux
- Version: SAS 7.0 and later
Purpose
Use this procedure when troubleshooting authentication, authorization, or vasd-related issues and One Identity Support has requested debug logs.
-
Resolution
Procedure
1. Enable Debug Logging
Run the following command as root:
vastool debug enableThis command performs the following actions automatically:
- Detects the active logging service (for example,
rsyslog) - Backs up existing logging configuration files
- Temporarily disables journald rate limiting (if applicable)
- Configures system logging to capture SAS debug output to:
/var/log/sas_debug.log
- Restarts the required logging services
Debug logging typically becomes active within 30 seconds.
Note:vasdis not restarted automatically.2. Reproduce the Issue
After enabling debug logging, reproduce the problem you are experiencing (for example, failed authentication, command execution, or domain communication issues).
3. Disable Debug Logging
Once the issue has been reproduced, disable debug logging:
vastool debug disableThis command:
- Restores the original logging configuration files from backup
- Restarts the affected logging services
- Compresses the collected debug output
The final debug file is saved as:/var/log/sas_debug.log.gz4. Collect Logs for Support
Upload the following file to your active One Identity Support case:
/var/log/sas_debug.log.gzSample Command OutputEnabling Debug[root@cs-redhat1 /]# vastool debug enable Detected <rsyslog> Backing up file </etc/systemd/journald.conf> to </etc/systemd/journald.conf.backup> Modifying </etc/systemd/journald.conf> to disable rate limiting Restarting journald Backing up file </etc/rsyslog.conf> to </etc/rsyslog.conf.backup> Modifying </etc/rsyslog.conf> for debug capture to </var/log/sas_debug.log> Restarting rsyslog vasd / system debug logging enabled to </var/log/sas_debug.log> vasd has NOT been restarted, debug should start within 30 secondsDisabling Debug[root@cs-redhat1 /]# vastool debug disable Detected <rsyslog> Restoring file </etc/systemd/journald.conf> from </etc/systemd/journald.conf.backup> Restarting journald Restoring file </etc/rsyslog.conf> from </etc/rsyslog.conf.backup> Restarting rsyslog vasd / system debug has been disabled and output compressed to </var/log/sas_debug.log.gz>Notes and Best Practices
- Run debug logging only for the duration needed to reproduce the issue.
- Avoid leaving debug enabled for extended periods, as log volume may increase.
- Do not modify or extract files from
sas_debug.log.gzbefore uploading unless instructed by Support.
Additional Information
If the issue persists after providing the debug logs, One Identity Support may request additional system information or configuration files as part of the investigation such as /var/log/secure and /var/log/messages.
For enabling vasd debug in earlier versions, please visit KB4263684 - Detects the active logging service (for example,