[Shib-Users] Statistics for Service Usage - Shoboleth SP
sofia cardita
Kevin P. Foote
Here's probably the best place to start.
https://spaces.internet2.edu/display/SHIB2/Contributions
Items to look at on that page are shlook which will give some nice RRD
graphs etc.
The IdP Audit Log Analysis Tool can do quite alot for a little simple
app.
Also take a look at Jim Fox's stuff at UW
http://staff.washington.edu/fox/stats_idp/
I have yet to get jim's stuff running here but its on my list. The IdP
Audit Log tool is working nicely to send mail to the boss though :)
�
Also. If your using TC to cluster I think there was some noise on the
list not too long ago about getting the # active sessions with JMX and
plotting that.
------
thanks
�kevin.foote
Scott Cantor
> shibboleth authenticated area, ie. use the service i'm providing?
Use your web logs, or count transactions from the SP tran log, I suppose.
> Checking
> /var/log/httpd/access log I see a bunch of lines like the below:
If you need some kind of tutorial on web logging, I'm not sure what to tell
you but I'm sure there's plenty out there, probably millions of links on
NCSA-style log parsing. There's nothing special about the SP being involved.
Am I not understanding you?
-- Scott
sofia cardita
Peter Schober
> Here's probably the best place to start.
>
> https://spaces.internet2.edu/display/SHIB2/Contributions
The question was not about IdP stats but SP usage, so the webserver
hosting the SP has all the required information.
While one could write a parser for shibd or transaction logs, there
has never a case where I would have needed the info those provide.
> The IdP Audit Log Analysis Tool can do quite alot for a little
> simple app.
[...]
> The IdP Audit Log tool is working nicely to send mail to the boss
> though :)
Glad you like it.
cheers,
-peter
Kevin P. Foote
Sorry for the miss read post before.. thought you wanted to keep track
of sp logins at idp..
Complete round trip to a protected spot looks as follows using the defaults for apache
logging. Looks like 3 entries to me.
ME requesting the resource
IP.63 - - [29/Oct/2010:08:10:35 -0400] "GET /cgi-bin/shibenv.pl HTTP/1.1" 302 490
SHIBD saying let me get authz first from the IdP
IP.63 - - [29/Oct/2010:08:10:43 -0400] "POST /Shibboleth.sso/SAML/POST
HTTP/1.1" 302 307
ME arriving at the resource
IP.63 - kpfoote [29/Oct/2010:08:10:44 -0400] "GET /cgi-bin/shibenv.pl
HTTP/1.1" 200 5033
I think thats about all you can get out of the apache side..
------
thanks
kevin.foote
On Fri, 29 Oct 2010, sofia cardita wrote:
-> Hi Scott,
->
-> I was told that this information would be available in the Shibboleth log's
-> so I didn't check Apache's logs. One question though, does Apache log the
-> 1st request to the authenticated area when the user is not authenticated, or
-> only the 2nd request when the user has been to the Idp and redirected back?
->
-> Thanks
->
-> Sofia
->
-> On Fri, Oct 29, 2010 at 5:19 AM, Scott Cantor <cant...@osu.edu> wrote:
->
-> > > How would I go about knowing how many users successfully accessed my
-> > > shibboleth authenticated area, ie. use the service i'm providing?
-> >
-> > Use your web logs, or count transactions from the SP tran log, I suppose.
-> >
-> > > Checking
-> > > /var/log/httpd/access log I see a bunch of lines like the below:
-> >
-> > If you need some kind of tutorial on web logging, I'm not sure what to tell
-> > you but I'm sure there's plenty out there, probably millions of links on
-> > NCSA-style log parsing. There's nothing special about the SP being
-> > involved.
-> >
-> > Am I not understanding you?
-> >
-> > -- Scott
-> >
-> >
-> >
->
Peter Schober
> I was told that this information would be available in the
> Shibboleth log's so I didn't check Apache's logs. One question
> though, does Apache log the 1st request to the authenticated area
> when the user is not authenticated, or only the 2nd request when the
> user has been to the Idp and redirected back?
There is a request from the HTTP user agent, it will be serviced by
httpd (with a HTTP 30x status code, in case a session is required but
not available) and this will also be logged.
Your logs should also tell you this.
-peter
Kevin P. Foote
-> ME requesting the resource
-> IP.63 - - [29/Oct/2010:08:10:35 -0400] "GET /cgi-bin/shibenv.pl HTTP/1.1" 302 490
->
-> SHIBD saying let me get authz first from the IdP
-> IP.63 - - [29/Oct/2010:08:10:43 -0400] "POST /Shibboleth.sso/SAML/POST
-> HTTP/1.1" 302 307
Actually between the two apache entries above there is mostlikely tons
more going on (shibd) .. but for simplification thats kinda what's happening :-)
That second one is actually the Assertion coming back in from IdP I
believe.
------
thanks
kevin.foote
On Fri, 29 Oct 2010, Kevin P. Foote wrote:
-> ME requesting the resource
-> IP.63 - - [29/Oct/2010:08:10:35 -0400] "GET /cgi-bin/shibenv.pl HTTP/1.1" 302 490
->
-> SHIBD saying let me get authz first from the IdP
-> IP.63 - - [29/Oct/2010:08:10:43 -0400] "POST /Shibboleth.sso/SAML/POST
-> HTTP/1.1" 302 307
->
-> ME arriving at the resource
-> IP.63 - kpfoote [29/Oct/2010:08:10:44 -0400] "GET /cgi-bin/shibenv.pl
-> HTTP/1.1" 200 5033
->
->
-> I think thats about all you can get out of the apache side..
->
-> ------
-> thanks
-> kevin.foote
->
-> On Fri, 29 Oct 2010, sofia cardita wrote:
->
-> -> Hi Scott,
-> ->
-> -> I was told that this information would be available in the Shibboleth log's
-> -> so I didn't check Apache's logs. One question though, does Apache log the
-> -> 1st request to the authenticated area when the user is not authenticated, or
-> -> only the 2nd request when the user has been to the Idp and redirected back?
-> ->
-> -> Thanks
-> ->
-> -> Sofia
-> ->
-> -> On Fri, Oct 29, 2010 at 5:19 AM, Scott Cantor <cant...@osu.edu> wrote:
-> ->
-> -> > > How would I go about knowing how many users successfully accessed my
-> -> > > shibboleth authenticated area, ie. use the service i'm providing?
-> -> >
-> -> > Use your web logs, or count transactions from the SP tran log, I suppose.
-> -> >
-> -> > > Checking
-> -> > > /var/log/httpd/access log I see a bunch of lines like the below:
-> -> >
-> -> > If you need some kind of tutorial on web logging, I'm not sure what to tell
-> -> > you but I'm sure there's plenty out there, probably millions of links on
-> -> > NCSA-style log parsing. There's nothing special about the SP being
-> -> > involved.
-> -> >
-> -> > Am I not understanding you?
-> -> >
-> -> > -- Scott
-> -> >
-> -> >
-> -> >
-> ->
->
Nuno Gonçalves
Are you using any analysis tool for service providers like the one available
for idp statistics ?
How do you get number of accesses per idp in a service provider ?
I was wondering if anyone are using something like the tool made by peter
but on the service provider side.
Best regards
Nuno
Kevin P. Foote
Nuno -
I think if you follow that thread again..
The consensus was that you'll have to rip through / parse your log
files at the SP and generate these custom stats for your location.
This coincidentally is what the IdP tools do as well.
On the SP your transaction.log would give you unique IdP representation
I believe.
On the SP your apache access logs (if apache) should give you the count of "login"
attempts when user is sent and returns from IdP.
------
thanks
kevin.foote
On Wed, 12 Jan 2011, Nuno Gonï¿œalves wrote:
-> Hi All,
-> Are you using any analysis tool for service providers like the one available
-> for idp statistics ?
-> How do you get number of accesses per idp in a service provider ?
-> I was wondering if anyone are using something like the tool made by peter
-> but on the service provider side.
->
-> Best regards
-> Nuno
->
-> -----Original Message-----
-> From: shibboleth-u...@internet2.edu
-> [mailto:shibboleth-u...@internet2.edu] On Behalf Of Peter Schober
-> Sent: sexta-feira, 29 de Outubro de 2010 13:25
-> To: shibbole...@internet2.edu
-> Subject: Re: [Shib-Users] Statistics for Service Usage - Shoboleth SP
->
-> * Kevin P. Foote <kpf...@iup.edu> [2010-10-29 05:46]:
-> > Here's probably the best place to start.
-> >
-> > https://spaces.internet2.edu/display/SHIB2/Contributions
->
-> The question was not about IdP stats but SP usage, so the webserver hosting
-> the SP has all the required information.
-> While one could write a parser for shibd or transaction logs, there has
-> never a case where I would have needed the info those provide.
->
-> > The IdP Audit Log Analysis Tool can do quite alot for a little simple
-> > app.
-> [...]
-> > The IdP Audit Log tool is working nicely to send mail to the boss
-> > though :)
->
-> Glad you like it.
->
-> cheers,
-> -peter
->
->
Cantor, Scott E.
> I believe.
>
> On the SP your apache access logs (if apache) should give you the count of
> "login" attempts when user is sent and returns from IdP.
I would imagine the transaction log would as well.
Now that the configuration is in relatively better shape, a major remaining task is to align the audit logging to the IdP so that it's easier to parse.
-- Scott
Ryan Suarez
> I think if you follow that thread again..
>
> The consensus was that you'll have to rip through / parse your log
> files at the SP and generate these custom stats for your location.
>
> This coincidentally is what the IdP tools do as well.
>
> On the SP your transaction.log would give you unique IdP representation
> I believe.
>
> On the SP your apache access logs (if apache) should give you the count of "login"
> attempts when user is sent and returns from IdP.
Sounds like a good fit for splunk:
http://www.splunk.com/
It can eat any type of log from any source. It's easy to generate
reports and queries rather than trying to parse this yourself.