In updating from CAS 5.x to CAS 6.1.x, I see that additional logging information has been added to the cas_audit log, specifically, log entries that include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED". We would either like to reduce, the amount of information in these entries, or possibly even omit these entries altogether. The reason is that the security groups listing for many of our users results in rather large log entries. For example, my own entry for ""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an entry that is over 3,000 characters long.
Perhaps some of my ideas below are not very good ideas, and I am open to perspective. Idea 1: Is it possible to replace the logged results of the "memberOf" field with ellipses, and if so, how? -->I.e., change: 2020-01-27 15:56:06,835 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, attributes={displayName=[Doe, John], mail=[[email protected]], memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup3,OU=Faculty Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu], sAMAccountName=[john_doe], UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56 -->Into something like this: 2020-01-27 15:56:06,835 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe, attributes={displayName=[Doe, John], mail=[[email protected]], memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56 Idea 2: Is it possible to omit the log entries for "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how? Idea 3: Is it possible to create two separate audit log files, one without the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this cas_audit.log) and one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" (call this cas_audit_log.verbose)? If so, how? In this case, I would likely gzip the verbose logs relatively frequently. I am open to other ideas as well. Carl -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1302d06a-5a51-4ade-ade7-1c2efb0cd2ca%40apereo.org.
