Format of Logs Routed to SysLog
37 views
Skip to first unread message
Matthew Uribe
Feb 14, 2019, 10:40:01 AM2/14/19
to CAS Community
Hi all,
We've just recently added the appender and logger to log4j2.xml referred to in the documentation to route logs to SysLog (CAS 5.2.x). However, each individual line is being sent as a separate log entry. Is there a way to keep all the relevant lines for an entry together?
For example, each of the following lines is sent separately:
=============================================================
WHO: user
WHAT: ST...
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Feb 13 00:00:12 MST 2019
CLIENT IP ADDRESS: 1.2.3.4
SERVER IP ADDRESS: 4.3.2.1
=============================================================
Only, they're not sent over in this exact order. Instead, they are all jumbled with unrelated entries overlapping each other. I'm using the configuration from the "Routing Logs to SysLog" section of this page: https://apereo.github.io/cas/5.2.x/installation/Logging.html
The only thing I've really changed so far is the newLine - I set it to false thinking it might change this line by line behavior, but it did not. My next thought is to change the format, or experiment with other layouts, but rather than guess and check, I thought I'd first reach out to the community. Any insights would truly be appreciated.
...
<Appenders>
<Syslog name="SYSLOG" format="RFC5424" host="log.server.example" port="514"
protocol="TCP" appName="MyApp" includeMDC="true" mdcId="mdc"
facility="LOCAL0" enterpriseNumber="18060" newLine="false"
messageId="Audit" id="App"/>
</Appenders>
...
<AsyncLogger name="org.apereo" additivity="true" level="debug">
<appender-ref ref="SYSLOG" />
</AsyncLogger>
Thanks!
Matt
David Curry
Feb 14, 2019, 10:58:59 AM2/14/19
to cas-...@apereo.org
Not a direct answer to your question, but if you have a Graylog server available, the GELF format for CAS logs is pretty excellent. For example, I've included a SERVICE_TICKET_CREATED example below, since that's the example you gave.
Instructions are here: https://dacurry-tns.github.io/deploying-apereo-cas/prod_configuration-changes.html#logging-to-graylog
(Note: The instructions use Graylog inputs, which is what we did originally. When we rebuilt our "bigger faster better" Graylog environment, we switched to using streams, one each for the dev, test, and prod CAS environments. Either way works.)
--Dave
- Received by
- GELF UDP JSON format log messages on 6bf1a9d3 / graylog-web03-lip.newschool.edu
- Stored in index
- graylog_11
- Routed into streams
- _eventId
- [submit]
- accept
- text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
- accept-encoding
- gzip, deflate, br
- accept-language
- en-US,en;q=0.9
- cache-control
- max-age=0
- characterEncodingFilter_FILTERED
- true
- connection
- keep-alive
- content-length
- 4467
- content-type
- application/x-www-form-urlencoded
- contentType
- application/x-www-form-urlencoded
- contextPath
- /cas
- cookie
- BIGipServercasdev_pool=2372870037.64288.0000
- errorPageFilter_FILTERED
- true
- execution
- [5d87d18b-6de4-433e-9253-d35a3738e80c_ZXlKaGJHY2lPaUpJVXpVeE1pSjkuTTNsdFpkU3laeCtobVVEQy8rTFhZRS9qSEhFYmFUUnl5QTQwd2lKM3NiWkozQ012UmJJOEdGOTBZdjgzbS9wcGNyVWFYMmRpZ3NXWkpKZ2xnRjJSd21vRnNkZ0RXVnZ3TlAwUFVDcnVGM2ZhZ25iN0ZlZHE4VnlpQ1I2QmRrcU10ZVhXUEwwTjFUaEtlQzR1MWFUSHltM3BzT3ZnMEROUXpUR2c4UER1cENTVlFhbW1Yay9QSlB6MTh4ZG1GZGNMYkcyUFVWUnY1TDJWV2poeEdWYmUwcFhuMUlkWlA5eVgwaFgxeUxqRFVDRGJpY3JJVURidGV2UVJtL2tkQzd1ZTFkME44Z0JWR1ZQQmRMMXBsNXNNdE1XQXAwY1VBZTAxRE5pUm5Vb1BwZFZJVS8xYXFIc3F4YlNXNVNMbDZmMzVpc0dYemR6UnZ5N2QyNjk5NDEwalJhcGxGT29JSDEyT2sxNm1tbTdaZzlMQk43WGI0TEJjbEI5TFhtemE4UmJYdDNITXg4SlErSHBzejhhVUZGQ1Z5Q1ZTMFo1bVVRY0RNSlM2TUpaVytzd2FYR3RJR3JqMm5SRFlqbEVYWTg2dUpFbDN1V3QrV3o3QmhnMHhlcGdHdkgxdThBaG5XOFVFbVVxWXJwSzdUZmtIbGFpK01GVkwzUFROQjJqR2xwU3JVMDZIN1NDWTY2ajFPcmcxODVkRENSTzg0VnU0MmlWSFpmWkpRWjJTRU53MUVyTEx6ZnlNQkN5ZjljYS9oTFFKbkNubzdPbnZUNHVGdnpRaVZCVGY0bHpqdnZvT3ZqdEVZU3YvWDdpNzZWSmJ3S2dvV2ZWempuZkFIdEJwNjhSOVdreXA4TDNWVXZhY2FyWnRwV0VMMXJkTHcvOGFObTcyUmwzOTM2Q3RjazY1LzhMSytvL2VwMUJaU09xeFVTMEMvbTU0c1BMTldBUzNkTmZwaFdCK1ZucFhya1lDaHl6eHE1ZkZTSmsveUMrRnJYdEpHaGMvTGhPZCtUNjVqUjU0UnY5RFpYU0lFNU5mdVpHOWJIbko0RnU4MlRIM3F5MitDZnliWkdhREZrbzY3cXovVWplTXltSGc0SWQwNUlxWXFCeVFvYzB5RnB3UFU1L3RRbHJoMUUraVY4cWtIOFg1bkdYd21DK2dERlhFV3VuenNHd214V0hvZVg5emYxNDhJUDQrTGxLQXJSak9vOGE0ZVVzQXhWaWRLMFRMMUNkTURNZzVnZFN0OXd0cC9TVkI0VC9LWWhNTDF5ZWphc2JjTkJXZDhwekFSZUJqeXJ2KzBoTnByYTBqcWVDMDUzeVBQenF6RXdNWDhWKzJjUU5VRDRKUFlRaDczQ1IwUDhwYjJGZHJqRVlVc2loaWdkVWNyL2RldzVFNlhQTEpKYkg0dU5PY3ovSkdwY0V5ZUwrQmZuQ1pvQURPd1E2ZnN5ZUp6L3phODZtSmhOcHRRYi9KbXpnYVBOMit6a2NOb0NBcTVXcEU0TUcyZndPMzgzTzdTTzJjcU9ra3NucWpxMnJrTlZadHpQNlI0QzNBeXlYNmtxUzBSaHI0bVZRdkNSRERyd0lsYWFIRDRZeXA4RjFIeGRiZHlPS3g1Z2JNeDYvR3RvNVhRT0lGNlR3UlE1NVhrblhjRTgzM0Y4RWRqZ2RKeWxmejdwK2NuYnd2Ulp5M016WXBIbWhGWWNROU5ZS1ZnMTgrSXhPNmwyUEl4cXhHMTdjQXprNmlsZHQyMkhqN1dKTHRSSm05SmxQL295V3BOV1hWdXJnK2pKSnlySVlldHNrdEpHQ0Y2TzBPVmdqTERVSWhEWCtXd2tBUG5pZ3E5ZlFQZTJvYnMxdUFNUXpBMEt5TVB6K1FvNFNhbHJmSThZazduY1h6aDgyYjhKL0hZRXRacjVySXVVSFc5UWFWM3lOdExoa1pkd0tjUkx3WEtMVUl4VnByemhYam0vbXhvUnZRemJ4Y3YzY1hTUWpWRHJqSnZnbnltM2dpZXhXUUdlNURxYzh5RmNEQlo5M3BJcFROSW43cHpQa0NocnRJNXZETDREQmFDRW1KTDdkMkltR1lHQW1yZzFRTjYvTXNJNWxEYytVTTZVcStveGp2bWR4S2JjeWtIMWhDdTdWZWpxbUtTMDdoUFZRQ2FXWURNc1Z1M0xDdjZvVVVMeU9PRzZRUnpqRm9aUzhERU05ZHFyVlpmUDhtMXBPYUovckJGTjVFMDRPUjBSd2NFUXBaaUtqc1VJQ3lhRDQ5QXdXRDVvY3ZhQ3I3QzRXVUtZTkhsQ0pYT0lpMk4wTGJ6eEE5SllaTk8rOUNhMVlVTk9MV1F2RExaRlBMNGU3cjg2L0grRHpYbithaERaNU80WjFCTStFVWRMSjBtRFZSTVRPWWp4VnVvOUN3T2IzZnRiZTBZNmxxK1FiMW5ONzhrNFAxdTBkRXRzc29rczN0V3E4aFZlYllXb3VDSzVrczZ1Rk5xaEhueW42V3libjBkbDg5a2IwMXpILzFCbkpTWFUxeDVKTFBrL1gzOWQrWS9KZ2JDVXo1U0NNZGNidm4veWliTGRENkFXeFZnbmJ6NHc3Y3luYWNqa3d5WGZLM1dhL1FGaVBTZVhQWFhnaU9MWHB0d3FHODk3dFZFR0tyT0ppVy9jamlRQ2c2RmRJY0pyQnZ4VU50dGZVc1VYOHIzRTM2WEp3anlmYkExZ3RLelFIVDVUZjRDYkdJR29MWjJQMWxha0RNS3d2VTJCeGxCQklnK2Rmck9uNHR2Vk5NOGo3WnVsRG5jWHk3cFRpSUVZL0ZDOHFvT0JYcXoyVGtNc1NSc2RqSXdDS051dXcyNmd0YUQ4dmdQSUtaVHVNeUtRSkNBcnBsN2o1bkFpYXNtWENuNFoySXRSMEJNOTlIcDYvWU1JUlgxbGJreGphQ0w2TmJ5RGVkZFJ1QjdDS2FNZ3ROQ0xKdEhid0M3YWIyVis2UDYvZnkxUTBNVEVhdnlScGJ6YTFCcS8rU2dvbVh0L0hJUzhMdFk1QWFCcUFDQWtJdHpFakJOVDYrb3IrSzgyeldVOWpWZ0JVeEtSSTllN2FTLzBOWHIvOFlhanoyWDNNOHF4V0Y2NXVpcUFaZUZONUpUT0FTUjVORU1zQVJoM1RQS0JJUGVtNkhrbnpGNDd6OUxaVXF0VzR3cVZqNHZXRFZQSzVVNFFYcU4rbVllSWgwWUtFL3duMDhvUUZJcEVGb1BkUExSY045blcxMXN4NXZaakQ1V2VtVFpkR2FwR3I4dFRYeHEzeVA1dWhPU3kzT0JNS0M2c05pdDZmc3FkYUkwdWZzMzZIS2dNY29yNlNUOUtvdXdPTkdZcVh2eXdCbWkvOWV2SEltN2V3dXduc0JQeUtXdzV1dVpFUS9SRlQ2MVZXUW1ST3d5aXRMVGVDd2dZRVk1ZDJEM2FtTWFQQUVWTGJaMFFqbmQ4bjN3ZnBpa3VhbUIyaElmRG5LY3gvQW85Y3MrbjMzRkY1N2ZUWlJrQnBBNTQ2bkI4NFdadnBIdWJIb05FdVBvUW5yaUp3VlZ2RFFJZkNGbkpUczFJQ3F4emJsR3pIcXhXck8yL1AvOEJXVnFuY3llMnRaWnJacGJsYjRFNFV2QThaUTVzZkhXcW5iUHQ3dVNoSmltMHAwZDVZTnkyT1I4Y3JOdTdmNXY1UTlnOEZQY0w5SWFFUVo2QXd2Y1BuSWNFaXN4UzhIcVR2a3ZFd213eFB1QnRPZWZnMHVqaFgrWXZUUUtjUmt4dlQxQ2Fvc0ZSYmtCSzhSbGsxNDQ5TkVrUUl1ZFFEbGhaNlFrRk45VEJuY0lhOUpqeWNnSUMvbjNjWlg4SEVNcDlRTm9JenhhcFkwQUppaktsZVJ4L0VsUXQwM3RGS3lmUkxBMnY3WGUxcG1TaXpzVFFueUR4SUdiWHF0bko3Z21nblFKZ3FqQVcvWnFKeW8zY1pnWnhPRnVoSmVGUTVKUEk2cy9xQzVWUHBHVEVMeGthVmprbXhLRjFWb0ppMERaZUlmeTJKbGovR2o4Q2hKMlpBQWFSellydTJqYWh1QnpBYTBSZ09ibnFFeHNYSmpBNXJBTDJteDh0aEFZc0NKclExemhxWENIUlptWTlXYUprcnFLeGdqRkYvbzM4OEZucnRsYkt4d1crS0tkenRVci9kZUZIQ2p6NUZyTWx6OS4zY0RqNWZVUVdhVGJUX3pxN2NRYVZsQ096Vk91RUx0cXpBdVd2VlhqeWRVVm9NMHZhYzRVOEw2Z2ltRVBHMWZmT05XTEh3ZTVxUnZlTjlrNno2Ym1MZw==]
- geolocation
- []
- javax_servlet_request_cipher_suite
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- javax_servlet_request_key_size
- 128
- javax_servlet_request_ssl_session_id
- 74b6fcbe193a81c8dd9b37044de5f376f0e46a5d13f630b82a6a51cb03866d2d
- javax_servlet_request_ssl_session_mgr
- org.apache.tomcat.util.net.jsse.JSSESupport@1fdc30ae
- level
- 6
- localAddress
- 149.31.111.141
- localPort
- 8443
- locale
- English (United States)
- logger
- org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager
- message
- Audit trail record BEGIN ============================================================= WHO: curryd WHAT: ST-1--vjc6pF-JTXRREREbxxE7sn87RI-casdev-srv01-lid for https://casdev-casapp.newschool.edu/secured-by-cas/index.php ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Thu Feb 14 10:45:58 EST 2019 CLIENT IP ADDRESS: 149.31.50.13 SERVER IP ADDRESS: 149.31.111.141 =============================================================
- method
- POST
- metricsFilter_FILTERED
- true
- org_apache_catalina_AccessLog_Protocol
- HTTP/1.1
- org_apache_catalina_AccessLog_RemoteAddr
- 149.31.50.13
- org_apache_catalina_AccessLog_RemoteHost
- 149.31.50.13
- org_apache_catalina_AccessLog_ServerPort
- 443
- org_apache_logging_log4j_web_Log4jServletFilter_FILTERED
- true
- org_apache_tomcat_remoteAddr
- 149.31.50.13
- org_apache_tomcat_util_net_secure_protocol_version
- TLSv1.2:TLS
- org_springframework_boot_actuate_autoconfigure_MetricsFilter_StopWatch
- StopWatch '': running time (millis) = 0
- org_springframework_web_context_request_async_WebAsyncManager_WEB_ASYNC_MANAGER
- org.springframework.web.context.request.async.WebAsyncManager@cc9a36b
- origin
- password
- [xxxxxxxx]
- protocol
- HTTP/1.1
- queryString
- service=https%3a%2f%2fcasdev-casapp.newschool.edu%2fsecured-by-cas%2findex.php
- referer
- remoteAddress
- 149.31.50.13
- remotePort
- 17996
- requestUri
- /cas/login
- scheme
- https
- serverName
- serverPort
- 443
- service
- source
- submit
- [Continue]
- thread
- https-openssl-nio-8443-exec-24
- timestamp
- 2019-02-14T15:45:58.248Z
- timezone
- Eastern Standard Time
- upgrade-insecure-requests
- 1
- user-agent
- Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
- username
- [curryd]
- webappName
- cas
- x-forwarded-for
- 149.31.55.205
--
DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1f44156-80ad-4b4b-bd0a-2f9c9741ede9%40apereo.org.
Ray Bon
Feb 14, 2019, 11:18:28 AM2/14/19
to cas-...@apereo.org
Matthew,
Add this to cas.properties (you will get used to the format after a while):
cas.audit.useSingleLine=true
Or you can use 'replace' in your logger which has the added benefit of handling java stack traces:
<Socket name="syslogAppender" host="localhost" port="1514" protocol="TCP">
<PatternLayout>
<pattern><%level{WARN=28, DEBUG=31, ERROR=27, TRACE=31, INFO=30, FATAL=25}>%d{MMM dd HH:mm:ss} ${hostName} CAS: %c %replace{%m}{\n+}{<31>CAS: TRACE: }%n</pattern>
</PatternLayout>
</Socket>
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Matthew Uribe
Feb 14, 2019, 2:51:03 PM2/14/19
to CAS Community
Thanks David,
We're not using Graylog, but your note about using UDP rather than TCP is advice I think I'll take!
Thanks for keeping up with your documentation. It's a great resource.
Matt
Matthew Uribe
Feb 14, 2019, 2:54:15 PM2/14/19
to CAS Community
Hi Ray,
Thanks for these options. I'm experimenting a little with both. I like the simplicity of the first option. Since you pointed it out, I did find it in the CAS documentation, but I don't think I would have noticed that without your having mentioned it. I also like the second option since it doesn't necessarily effect my text logs on the server. Both options are very appreciated.
Thanks,
Matt
Reply all
Reply to author
Forward
0 new messages