File(s): conf/logback.xml
Format: Logback
Table of Contents |
---|
Overview
All logging is done through an abstract API called SLF4J that allows for a choice of logging implementation at runtime. The software ships and installs with a logging implementation called Logback. We do not at present have any examples of replacing this implementation.
...
The following properties are declared for you:
Variable | Default | Function |
---|---|---|
idp.logfiles | ${idp.home}/logs | Location of log files |
idp.loghistory | 180 | Number of days of logs to keep |
idp.process.appender | IDP_PROCESS | Appender to use for diagnostic log (set to ASYNC_PROCESS for high volume DEBUG logging) |
idp.loglevel.idp | INFO | Log level for the IdP proper |
idp.loglevel.ldap | WARN | Log level for LDAP events |
idp.loglevel.messages | INFO | Set to DEBUG for protocol message tracing |
idp.loglevel.encryption | INFO | Set to DEBUG to log cleartext versions of encrypted content |
idp.loglevel.opensaml | INFO | Log level for OpenSAML library classes |
idp.loglevel.props | INFO | Set to DEBUG to log runtime properties during startup |
idp.loglevel.spring | ERROR | Log level for Spring Framework (very chatty) |
idp.loglevel.container | ERROR | Log level for Tomcat/Jetty (very chatty) |
idp.loglevel.xmlsec | INFO | Set to DEBUG for low-level XML Signing/Encryption logging |
Log Files
By default there are three classes of log file produced:
diagnostic logs (idp-process.log, idp-warn.log)
general audit log (idp-audit.log)
consent audit log (idp-consent-audit.log)
The latter two are discussed in the AuditLoggingConfiguration subtopic.
...
Some examples of useful categories follow:
Category | Description |
---|---|
Shibboleth-Audit, Shibboleth-Consent-Audit | Categories to which audit messages are written, allowing them to be captured by additional logging destinations |
Shibboleth-FTICKS | Category for F-TICKS logging messages. |
PROTOCOL_MESSAGE | A logger for incoming and outgoing XML protocol messages, not active by default |
org.opensaml.saml | Messages related only to receiving, parsing, evaluating security of, producing, and encoding SAML messages (this produces a lot of log messages, especially at IdP startup) |
org.opensaml.saml.saml2.encryption.Encrypter | Logs unencrypted SAML content at DEBUG level, not active by default |
org.opensaml.saml.metadata.resolver | Information regarding metadata loading, refresh, and querying |
net.shibboleth.idp | Messages related to all the IdP's functions, profile handling, authentication, attribute resolution and filtering |
net.shibboleth.idp.authn | Messages related only to authentication |
net.shibboleth.idp.attribute | Messages related to attribute resolution and filtering |
org.ldaptive | Messages related to LDAP library processing (applies to both authentication or attribute lookup) |
The default configuration includes additional loggers that are either commented out or are hardwired to particular levels. Adjusting these categories may result in a lot of additional noise, but also may be useful to diagnose very low-level problems (or you might be asked to in order to help diagnose a problem).
...
Logback supports a feature known as the Mapped Diagnostic Context (MDC). Information stored in the MDC is available to every logging message (after the point the information is stored) and can be accessed in an event string with the format %mdc{KEY
}. Currently the IdP makes the following information available via the MDC:
MDC KEY | Description |
---|---|
idp.jsessionid | The servlet container's JSESSIONID attribute |
idp.remote_addr | The IP address of the remote user-agent. This is the user's browser for front-channel requests and the SP for back-channel requests. |
idp.server_hostname | The host name of the server to which the current request was sent |
idp.server_port | The port number to which the current request was sent |
...
...
Example Logging Pattern using the Container Session ID
Code Block |
---|
<Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - [%mdc{idp.jsessionid}] - %msg%n</Pattern> |
...
To prevent duplication of the audit log entries, you can add the attribute additivity="false"
to those loggers:
Code Block | xml | xml
---|
<logger name="Shibboleth-Audit" level="ALL" additivity="false"> <appender-ref ref="IDP_AUDIT" /> </logger> <logger name="Shibboleth-Consent-Audit" level="ALL" additivity="false"> <appender-ref ref="IDP_CONSENT_AUDIT"/> </logger> <logger name="Shibboleth-FTICKS" level="ALL" additivity="false"> <appender-ref ref="IDP_FTICKS_SYSLOG"/> </logger> |
...