shibboleth-dev - RE: [Shib-Dev] Parseable audit logs for SP
Subject: Shibboleth Developers
List archive
- From: "Cantor, Scott E." <>
- To: "" <>
- Subject: RE: [Shib-Dev] Parseable audit logs for SP
- Date: Wed, 9 Feb 2011 15:11:55 +0000
- Accept-language: en-US
> The NameID would be very important to include, as this is often different
> from REMOTE_USER, although the qualifyers should be probably omitted.
It's in the transaction log now, I would include at least what's in there
already.
> OTOH I can not thinkof any good use of User-Agent and Protocol (should that
> mean http/https?) fields, IMO these would only generate noise. SP entityID
> seems to be redundant with the application id, if that's true, I'd keep the
> application id.
Agree with the latter, but Protocol presumably means SSO protocol, which I
believe I track now, and I think is useful for troubleshooting. User-Agent
I'm not sure about, but I think that in many cases people don't log it in
their web server, so I think it might be useful.
> I suppose that a timestamp should also be logged if it's not done implicitly
> by the library. For audit logs, I prefer to use unix timestamps, but as long
> as it is machine parseable, any solution would do.
I would be using the existing logging library, and it already lets you
manipulate the timestamp of the entries however you want them.
> The IdP contains many specifics of the SAML exchange (request id, assertion
> ids, etc), but I think, for an SP audit log, these are of little use.
They may be useful for correlation to those same logs, so I don't think
they're useless.
> To sum up, I'd propose the following record format:
> timestamp|sessionId|REMOTE_USER|NameID|client_IP|appId|IDP_entityi
> d|binding|
> authnTime|authncontext|filtered_attribute_ids
I think I would probably end up creating something that was pattern-based and
allowed people to specify how they wanted the fields ordered, or omitted, and
then created log output through the existing library.
I would guess this will also be a new plugin interface in the SP, so that
unlike the trace logging, the entire implementation could be swapped out
without changing the core SP code. That's too much work for general logging,
but this kind of log only gets written to in particular spots in the code.
-- Scott
- [Shib-Dev] Parseable audit logs for SP, Philip Brusten, 02/08/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/08/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Chad La Joie, 02/08/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/08/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Kristof Bajnok, 02/09/2011
- RE: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Peter Schober, 02/09/2011
- RE: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Chad La Joie, 02/09/2011
- RE: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/09/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Philip Brusten, 02/14/2011
- Re: [Shib-Dev] Parseable audit logs for SP, Peter Schober, 02/09/2011
- RE: [Shib-Dev] Parseable audit logs for SP, Cantor, Scott E., 02/09/2011
Archive powered by MHonArc 2.6.16.