Extended L7 Debug
This document relates to additional logging capabilities that enable debug and client trace logging at a per-Virtual Service (VS) level. Currently, for this feature, only configuring using the Web User Interface (WUI) is supported, no Application Program Interface (API) functionality has been implemented.
There is a global debug option called Enable L7 Debug Traces that enables debugging on all Layer 7 (L7) connections. This global setting has precedence over the new Extended L7 debug feature capabilities outlined below.
This new feature allows additional logging capabilities that enables debug logging on a per-VS level and a further option to limit the logging by specifying the client IP address. All logs associated with this feature are recorded in the system messages file messages.txt.
You can enable this feature using the Enable Extended L7 Debug setting in the System Configuration > Logging Options > System Log Files > Debug Options page.
Enabling Enable Extended L7 Debug option may be needed when performing extensive testing.
Once the Enable Extended L7 Debug option is enabled, a Process debug button will appear. Clicking the Process debug button will display the list of processes with the debug level to be selected.
By default, the generated logs cannot be exported from the device. The user has to sanitize the logs before providing them externally. Logs should only be enabled for debug purposes and disabled immediately afterwards. the logs should be removed from the LoadMaster as soon as possible when debugging is completed.
Enabling Extended L7 Debug option can consume more resources and it is possible that some authorization parameters may be exposed. Only enable this option if recommended by Kemp Support.
When extended debugging is enabled, an additional Extended Debug configuration item becomes available in the Virtual Service modify screen (Virtual Services > View/Modify Services > Modify) for all VSs. When using Sub-Virtual Services (SubVSs), the Extended Debug settings are also inherited by the SubVS, so that a single call can be logged in its entirety. It is also possible to enable debug on a single SubVS if required.
When Enable Extended L7 Debug is set, the Extended Debug options are available when configuring or modifying a VS. The options available are:
- L7 Debug Level: There are currently four levels available; No Debug, Call Tracing, Full Debug, and Full Debug + HTTP Headers. Call Tracing is a basic level log that displays most relevant operations, while Full Debug displays all available debug logs, which is the same as the global setting of Enable L7 Debug Traces but on a per-VS level.
By default, the L7 Debug Level is set to No Debug for all Virtual Services and SubVSs. To enable logging for a particular Virtual Service or SubVS, you must set the L7 Debug Level to Call Tracing or Full Debug in the Extended Debug section of the Virtual Service or SubVS modify screen.
Setting the L7 Debug Level to Full Debug + HTTP Headers may expose sensitive information.
- Client To Trace: It is also possible to limit the debug information even further by specifying a client IP address (you can specify an IPv4 or IPv6 address). If an address is specified, only connections coming from that specific client IP are logged/traced. This allows debugging capability from a single address.
This document was last updated on 01 February 2022.