File(s): conf/audit.xml, conf/errors.xml, conf/logback.xml, conf/authn/authn.properties (V4.3+)
Format: Native Spring, Logback
...
The audit logging feature provides a detailed record of every transaction handled by the IdP to allow tracing of user activity, statistical analysis of usage, legal record keeping, etc. It is highly extensible, allowing the format to be customized, selection of fields to log on a per-profile basis, and the addition of custom audit fields using additional Java code or scriptlets without modifying core code in most cases. Unlike the diagnostic logs, the audit log is meant to be machine-readable.
Note that the audit log does not log individual authentication success/failure information because that can happen repeatedly in the course of a single “transaction” from the IdP’s perspective. There are diagnostic log messages produced for those events, but not audit events. It is presumed that the true “audit” log of an authentication service is produced by that service itself, while the IdP’s log would only be used in the rare case that something needs to be correlated to a client address or similar information.
There are initially two audit logs provided, and there might be more added later if other use cases emerge. The core audit log is used for general request/response auditing, and is routed by default through a logger named "Shibboleth-The primary audit stream deals with the request/response profile handling of the IdP itself (this also includes logging the requests and responses associated with the SAML proxying support). This is routed by default through a logger named "Shibboleth-Audit" to a file called idp-audit.log.
Another audit record stream exists for logging decisions made by users regarding attribute release and terms of use acceptance and is routed by default through a logger named "Shibboleth-Consent-Audit" to a file called idp-consent-audit.log. A second log is used for logging decisions made by users regarding attribute release and terms of use acceptance, and is routed by default through a logger named "Shibboleth-Consent-Audit" to a file called idp-consent-audit.log.It's possible through additional configuration to send audit records configured in multiple formats to different logging categories; for example you might have custom tools that want particular formats and the IdP can produce those formats for you in real time while still generating other formats at the same time.
Prior to V4.3, the audit log does not include records of individual authentication success or failure results; only the diagnostic (“process”) log includes (unstructured) records of those events. V4.3 introduces a separate stream of authentication audit events for each supported login flow. By default this feature is not enabled, but if done, these records appear in the same audit stream as the primary auditing. It is straightforward (and usually advisable) to route these records by category to a separate file or destination since the record format is not the same as the primary records.
Finally, the primary audit log supports the ability to create multiple log records in different formats or with different fields at the same time for the same events (and optionally route them to different categories for output to different destinations). The authentication auditing does not support this feature for simplicity (and because of the relative paucity of fields).
General Configuration
As with the diagnostic logs, the actual logging is handled by the Logback implementation and so the portion of configuration that deals with how the logs are written and managed is in the conf/logback.xml file through the manipulation of the two <logger>
elements and related content for the "Shibboleth-Audit" and "Shibboleth-Consent-Audit" categories.
...
There are really two halves to the auditing system: field extraction and log output. While suitable defaults are provided, both halves can be changed using conf/audit.xml (or conf/intercept/consent-intercept-config.xml for the Shibboleth“Shibboleth-Consent-Audit Audit” category). Extending field extraction typically requires additional Java code or scripts to pull new data out of the request state and make it available to the log output stage, but there are a lot of built-in fields.
Expand | ||
---|---|---|
| ||
Field extraction is the process of populating a labeled field in an AuditContext object that is built up over the life of a transaction. The context is just a map of field names to collections of values and the field names are just conventions built-in to the software to provide a standard set of useful fields to audit. Fields are extracted at various points through the life of a transaction so that adequate detail can be exposed about the request, the processing of the request, and the response. These extraction points are associated with collections of field extraction beans that do the actual work to pull data out of the state of the transaction and store it for output. The built-in extraction points and beans are as follows (empty beans are not provided to reduce clutter, but you can add them, per the example below):
Each entry in these maps is a key containing the string label to associate (the name of the field), and a value containing a Function<ProfileRequestContext,Object> instance. Functions can return either single objects that get converted to a string for logging, or a Collection of objects that are converted to strings and separated by commas within the logged field. In this manner, you can add your own fields by implementing a function (or writing a script) to return any data you can find in the context tree and associating it with a custom field label by adding it to one of the maps named above. In V4.3+, a similar extractor exists for each login flow in the IdP, allowing different auditing behavior per-flow. All these beans have names based on the underlying login flow (e.g. shibboleth.authn.Password.AuditExtractors, etc.) |
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
A skeletal example follows to demonstrate how to create a map to contain a custom field extraction rule: Adding custom fields to the audit log via audit.xml
A real world example: if you're logging fields containing a URL, you may need to escape characters in a URL because of the delimiter you choose to use in the log format. You can do this using a script: Encoding 'pipe' character appearing in CAS service URLs
A rather more convoluted example is to dump the values or arbitrary attributes into the log. To do this we define an abstract bean to emit the attribute values (in an arbitrary format) for any attribute (most of this is really error and null handling): Output Attribute Values
Then a bean to emit a specific attribute can be easily created:
|
...