Audit Logging - remote IP address - IdP v3.4
Lipscomb, Gary
glipscomb at csu.edu.au
Tue May 28 01:29:20 EDT 2019
Hi,
Think I've found the issue
Item [1] below - cut and paste error
Should be
<!-- Audit log. -->
<appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${idp.logfiles}/idp-audit.log</File>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
<maxHistory>${idp.loghistory}</maxHistory>
</rollingPolicy>
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%msg%mdc{idp.remote_addr}|%n</Pattern>
</encoder>
</appender>
A new field was added in audit.xml - the %X for Encrypted Assertions introduced in v3.4
<util:map id="shibboleth.AuditFormattingMap">
<entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|%X" />
</util:map>
We needed to add a "|" in the pattern for Audit log to split the fields
<Pattern>%msg|%mdc{idp.remote_addr}|%n</Pattern>
In v3.3.3 of audit.xml the field deleimiter "|" is included after the last field but not in v3.4.4
<entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />
Arising from this should %a "Client address" be included by default in audit.xml
Regards
Gary
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Lipscomb, Gary
Sent: Tuesday, 28 May 2019 11:45
To: Shib Users <users at shibboleth.net>
Subject: Audit Logging - remote IP address - IdP v3.4
Hi list,
We have noticed a change in the format of the Remote IP address we capture in the idp-audit.log which we import into Splunk for analysis. The word "true" is appended to the remote IP address.
Is this an expected change from the MDC [5] or should I be looking elsewhere?
RHEL 7.6 Maipo
IdP v3.4.4
Tomcat 7
[1] logback.xml
<encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
<charset>UTF-8</charset>
<Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
</encoder>
[2] 2018 idp-audit.log IdP v3.3.3 and IdP v 3.4.0
|1xx.xxx.19.33|
[3] 2019 idp-audit.log IdPv3.4.4
|true1xx.xxx.19.33|
[4] remote IP address in header obtained using tcpdump
2720: X-Forward: 1xx.xxx.19.33
2721: X-Forwarded-Proto: https
[5] https://wiki.shibboleth.net/confluence/display/IDP30/LoggingConfiguration#LoggingConfiguration-MappedDiagnosticContext
Gary Lipscomb
Technical Officer (Infrastructure), Systems | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |
LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list