Debug Log Reporting
Debug logs for the Akeyless PAM integration are written by the Tenable Nessus scanner during the scan. Log output is controlled by the debug logging settings in Tenable Nessus.
Log file names
The integration writes to log files named after the credential plugin that invoked it:
-
SSH scans: ssh_settings.nasl~Akeyless
-
Windows scans: logins.nasl~Akeyless
-
Database scans: database_settings.nasl~Akeyless
Log files are attached to the Debugging Log Report (84239) plugin output.
What the logs contain
The debug logs record the full integration lifecycle for each scan, including:
-
Configuration settings the integration loads from the scan policy (with sensitive values masked).
-
The authentication method used and whether authentication succeeded.
-
The Akeyless API endpoint called and the HTTP response status.
-
Whether the secret was found and whether its value was parsed successfully.
-
Cache hit/miss information for repeated credential retrievals.
-
Any errors returned by the Akeyless API, including authentication failures and secret-not-found responses.
Common reasons for credentialed checks showing "no" status
-
The Akeyless authentication method does not have an Access Role that grants read access to the configured Credential ID path.
-
The Access Key, UID token, or client certificate provided is invalid or expired.
-
The Akeyless host is unreachable from the scanner (firewall, incorrect hostname, or port).
-
The Credential ID path does not exist in Akeyless or is misspelled.
-
The secret value is not valid JSON or does not contain a password or ssh_key field.
-
For rotated secrets, the Secret Type is set to static (or vice versa), causing the wrong API endpoint to be called.
-
SSL certificate verification fails because the Akeyless gateway uses a self-signed certificate and Verify SSL Certificate is enabled.