How do I cut some of the information that is logged with SERVICE_ACCESS_ENFORCEMENT_TRIGGERED log entries to our cas_audit log to reduce log verbosity?
52 views
Skip to first unread message
crdaudt
Jan 27, 2020, 5:22:48 PM1/27/20
to CAS Community
In updating from CAS 5.x to CAS 6.1.x, I see that additional logging information has been added to the cas_audit log, specifically, log entries that include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED". We would either like to reduce, the amount of information in these entries, or possibly even omit these entries altogether. The reason is that the security groups listing for many of our users results in rather large log entries. For example, my own entry for ""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an entry that is over 3,000 characters long.
Perhaps some of my ideas below are not very good ideas, and I am open to perspective.
Idea 1: Is it possible to replace the logged results of the "memberOf" field with ellipses, and if so, how?
-->I.e., change:
2020-01-27 15:56:06,835 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, attributes={displayName=[Doe, John], mail=[john...@myuniversity.edu], memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup3,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu], sAMAccountName=[john_doe], UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
-->Into something like this:
2020-01-27 15:56:06,835 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, attributes={displayName=[Doe, John], mail=[john...@myuniversity.edu], memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
Idea 2: Is it possible to omit the log entries for "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?
Idea 3: Is it possible to create two separate audit log files, one without the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this cas_audit.log) and one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" (call this cas_audit_log.verbose)? If so, how? In this case, I would likely gzip the verbose logs relatively frequently.
I am open to other ideas as well.
Carl
Ray Bon
Jan 28, 2020, 3:03:07 PM1/28/20
to cas-...@apereo.org
Carl,
To change output of audit logging, you could override it with a custom implementation, https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
This describes modifying text but the process can be used to modify java classes as well. But see,
https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog entry,
https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.
To hide log entries, you can use filters. For example:
<!-- DEBUG TGT and ST
on logout ST and service -->
<AsyncLogger name="org.apereo.cas.AbstractCentralAuthenticationService" level="error" includeLocation="true">
<RegexFilter regex="Publishing.*ticketGrantingTicket=.*serviceTicket=.*" onMismatch="DENY" />
</AsyncLogger>
See here for filter possibilities,
https://logging.apache.org/log4j/2.x/manual/filters.html
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
crdaudt
Jan 29, 2020, 3:54:50 PM1/29/20
to CAS Community
Thanks Ray. The following log4j2.xml RegexFilter configuration worked for me to eliminated all log entries with the specified string:
---BEGIN---
<Loggers>
...
<AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" additivity="false">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*" onMatch="DENY" onMismatch="ACCEPT"/>
<AppenderRef ref="casAudit"/>
</AsyncLogger>
...
</Loggers>
---END---
Oddly enough, I could not get the same RegexFilter to work with my Appender (as you had suggested). The following RegexFilter string appears to be ignored:
---BEGIN---
<Appenders>
...
<RollingFile name="auditlogfile" fileName="${baseDir}/cas_audit.log" append="true"
filePattern="${baseDir}/cas_audit-%d{yyyy-MM-dd}-%i.log">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*" onMatch="DENY" onMismatch="ACCEPT"/>
<PatternLayout pattern="%d %p [%c] - %m%n"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="300 MB"/>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
<CasAppender name="casAudit">
<AppenderRef ref="auditlogfile" />
</CasAppender>
...
</Appenders>
---END---
If I can figure out how to apply the filter to the Appender rather than the Logger, I could write to two separate CAS audit log appenders, one that is filtered ("casAudit") and one that is unfiltered ("casAuditVerbose").
In retrospect, I think we will be fine with simply having a single CAS audit log, removing all "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries from it. But I am mystified why the RegexFilter fails to perform any action when configured with the Appender.
Carl
Ray Bon
Jan 29, 2020, 7:12:52 PM1/29/20
to cas-...@apereo.org
I here you on 'filters in appenders'. All of mine are commented out because they did not work.
Ray
Reply all
Reply to author
Forward
0 new messages