Log failed authentications

Michael A Grady mgrady at unicon.net
Wed May 13 14:23:53 UTC 2020

> On May 13, 2020, at 8:55 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/13/20, 9:49 AM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at shibboleth.net on behalf of ignacio.amoeiro at extern.ibsalut.es> wrote:
>> Is possible to audit failed login authentications in audit-event logger?
> No. That's impossible in general because most of them end up back on the login page waiting for another attempt. Auditing is at the request/response level of the overall profile attempt. Failed logins are a diagnostic logging use case. Failed authentication overall in the cases that a flow actually terminates in some way are audited with various event signals and/or SAML status results.
> Failed logins are also tracked numerically with metrics via counters.
> -- Scott

Where we had a need to just send the process log "login succeeded/failed" messages to a syslog appender, we added the following to pull those messages (obviously dependent on the content of tha message, not sure if it changes in 4.x) from the process log. Of course, if you a flog file aggregation service, you can just have any such filtering logic there. 

        <!-- Only send authentication messages for password and Duo -->
        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
                    <regex>Login by</regex>
                    <regex>Duo authentication</regex>
                <expression>Login.matches(formattedMessage) || Duo.matches(formattedMessage)</expression>

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200513/e33ce7bd/attachment.htm>

More information about the users mailing list