SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000033694
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1[40] or later, though 7.2 and 7.1 should also work
Platform: Windows
O/S Version: Microsoft Windows Server 2012 R2, Windows Server 2008 R2, Windows 7, Windows 8, all supported versions of Windows
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.1[40] or later, though 7.2 and 7.1 should also work
Platform: Windows
O/S Version: Microsoft Windows Server 2012 R2, Windows Server 2008 R2, Windows 7, Windows 8, all supported versions of Windows
Issue
While a GPO template is not currently available to enable Windows Local Agent (LAC) for verbose or trace logging, you can enable verbose logging for an RSA Authentication Agent 7.x for Windows through the registry, which then might be done remotely or to groups of agents.
Task
Use regedit to modify the value of HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktop Common\Logging\Components and set the various log files to a DWORD value of 1.
Resolution
HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktop Common\Logging\Components is the registry hive used by the RSA Authentication Agent for Windows to set logging values. As shown here, all of the equivalent REG_DWORD values for the agent's trace files seen through the agent interface are listed.
Image description
As shown in the agent interface:
Image description
In the registry, set the DWORD value to 1 to turn on logging to that specific file. You may want to enable logging for all, but typically Customer Support looks at the SIDAuthenticator log file for logon and challenge information, and the DAService log for offline authentication requests and downloads.
The registry setting for HKEY_LOCAL_MACHINE\SOFTWARE\RSA\SDTI\ACECLIENT is a remnant from the older agents, which only logged to a single file called trace.log in Agent version 7.0, and was originally called ACECLIENT.log in older versions of the agent. It is not necessary to enable logging for the trace.log file because with newer agents, there is not much useful or unique information in it. If the root cause of the issue is not identified after enabling verbose logging for the suggested values, run a test with the DWORD value set to 1.
Image descriptionAs shown in the agent interface:
Image descriptionIn the registry, set the DWORD value to 1 to turn on logging to that specific file. You may want to enable logging for all, but typically Customer Support looks at the SIDAuthenticator log file for logon and challenge information, and the DAService log for offline authentication requests and downloads.
The registry setting for HKEY_LOCAL_MACHINE\SOFTWARE\RSA\SDTI\ACECLIENT is a remnant from the older agents, which only logged to a single file called trace.log in Agent version 7.0, and was originally called ACECLIENT.log in older versions of the agent. It is not necessary to enable logging for the trace.log file because with newer agents, there is not much useful or unique information in it. If the root cause of the issue is not identified after enabling verbose logging for the suggested values, run a test with the DWORD value set to 1.
Notes
Thanks to Customer Support Engineer Ed Davis for helping to figure this out.
In this article
