Audit Logging - remote IP address - IdP v3.4

Lipscomb, Gary glipscomb at
Tue May 28 01:29:20 EDT 2019


Think I've found the issue

Item [1] below - cut and paste error

Should be

    <!-- Audit log. -->
    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">

        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">

        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">

A new field was added in audit.xml - the %X for Encrypted Assertions introduced in v3.4

    <util:map id="shibboleth.AuditFormattingMap">
        <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|%X" />

We needed to add a "|" in the pattern for Audit log to split the fields


In v3.3.3 of audit.xml the field deleimiter "|" is included after the last field but not in v3.4.4

      <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />

Arising from this should %a "Client address" be included by default in audit.xml



-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Lipscomb, Gary
Sent: Tuesday, 28 May 2019 11:45
To: Shib Users <users at>
Subject: Audit Logging - remote IP address - IdP v3.4

Hi list,

We have noticed a change in the format of the  Remote IP address we capture in the idp-audit.log which we import into Splunk for analysis. The word "true" is appended to the remote IP address.
Is this an expected change from the MDC [5] or should I be looking elsewhere?

RHEL 7.6 Maipo
IdP v3.4.4
Tomcat 7

[1] logback.xml
        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
            <Pattern>%date{ISO8601} - %mdc{idp.remote_addr} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>

[2] 2018 idp-audit.log IdP v3.3.3 and IdP v 3.4.0

[3] 2019 idp-audit.log    IdPv3.4.4

[4] remote IP address in header obtained using tcpdump
2720:   X-Forward:
2721:   X-Forwarded-Proto: https


Gary Lipscomb
Technical Officer (Infrastructure), Systems | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University


This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list