Parseable audit logs for SP

Description

It would be nice if we had an audit-log similar to the audit log from the IdP.
The transaction log already provides some useful information, but is not easily parseable and does not contain a useful identifier of the user (e.g. REMOTE_USER variable)

idp-audit.log format: auditEventTime|requestBinding|requestId|relyingPartyId|messageProfileId|assertingPartyId|responseBinding|responseId|principalName|authNMethod|releasedAttributeId1,releasedAttributeId2,|nameIdentifier|assertion1ID,assertion2ID,|

I think, the SP audit log should contain at least the following fields delimited by a '|':

  • Authentication Time

  • SessionId

  • REMOTE_USER if any

  • Client IP address

  • Authentication Context Class

  • User-agent

  • Application id

  • entityID of SP

  • entityID of IdP

  • Protocol

  • Binding

  • filtered attribute IDs

Could you take this into consideration?

Regards,

Philip

Environment

None

Activity

Scott Cantor February 12, 2012 at 10:51 PM

Closing with documentation written.

Scott Cantor October 30, 2011 at 9:43 PM

http://svn.shibboleth.net/view/cpp-sp?rev=3534&view=rev

Logging supported for AuthnRequest, login, and logout operations using a single template string in OutOfProcess/@tranLogFormat

Tokens supported:

m_handlers["e"] = _ExceptionMessage;
m_handlers["E"] = _ExceptionType;
m_handlers["S"] = _StatusCode;
m_handlers["SS"] = _SubStatusCode;
m_handlers["SM"] = _StatusMessage;
m_handlers["URL"] = _URL;
m_handlers["URI"] = _URI;
m_handlers["s"] = _SessionID;
m_handlers["a"] = _REMOTE_ADDR;
m_handlers["UA"] = _UserAgent;
m_handlers["app"] = _ApplicationID;
m_handlers["SP"] = SP;
m_handlers["IDP"] = _IDP;
m_handlers["p"] = _Protocol;
m_handlers["b"] = _Binding;
m_handlers["n"] = _NameID;

m_handlers["u"] = _REMOTE_USER;
m_handlers["i"] = _AssertionID;
m_handlers["I"] = _ProtocolID;
m_handlers["II"] = _InResponseTo;
m_handlers["d"] = _AssertionIssueInstant;
m_handlers["D"] = _ProtocolIssueInstant;
m_handlers["t"] = _AuthnInstant;
m_handlers["x"] = _SessionIndex;
m_handlers["ac"] = _AuthnContext;
m_handlers["attr"] = _Attributes;

m_handlers["L"] = _Logout;

Scott Cantor October 3, 2011 at 12:55 PM

Initial proposal for formatting codes:

%t - Authentication Time
%s - SessionId
%u - REMOTE_USER if any
%a - Client IP address
%c - Authentication Context Class
%UA - User-agent
%app - Application id
%SP - entityID of SP
%IDP - entityID of IdP
%p - Protocol
%b - Binding
%attr - filtered attribute IDs

Considering whether to open up access to arbitrary request headers, if it's feasible.

Scott Cantor September 9, 2011 at 2:34 AM

Plan is to develop a new logging API for audit events and include support for configurable formatting similar to Apache. Actual log output will remain channeled through log4shib in the supplied implementation, but could be replaced.

Eventually this might become something more generalized for use with the trace logging, but that's a 3.0 thing.

The best option is probably to wrap as much internal SP state as possible so it can be exposed to the logging plugin.

Scott Cantor February 8, 2011 at 11:25 AM

That is in the expected work plan for 2.5 (or whatever v.Next is), I just haven't added those items to Jira yet, so you did it for me.

It also helps greatly to have a concrete suggestion. I might suggest you take this to the dev list and ask for input on what people think should be logged.

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Created February 8, 2011 at 5:54 AM
Updated June 22, 2021 at 9:00 PM
Resolved October 30, 2011 at 9:43 PM