I here you on 'filters in appenders'. All of mine are commented out because
they did not work.
Ray
On Wed, 2020-01-29 at 12:54 -0800, crdaudt wrote:
Thanks Ray. The following log4j2.xml RegexFilter configuration worked for me
to eliminated all log entries with the specified string:
---BEGIN---
<Loggers>
...
<AsyncLogger name="org.apereo.inspektr.audit.support" level="info"
includeLocation="true" additivity="false">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*"
onMatch="DENY" onMismatch="ACCEPT"/>
<AppenderRef ref="casAudit"/>
</AsyncLogger>
...
</Loggers>
---END---
Oddly enough, I could not get the same RegexFilter to work with my Appender (as
you had suggested). The following RegexFilter string appears to be ignored:
---BEGIN---
<Appenders>
...
<RollingFile name="auditlogfile" fileName="${baseDir}/cas_audit.log"
append="true"
filePattern="${baseDir}/cas_audit-%d{yyyy-MM-dd}-%i.log">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*"
onMatch="DENY" onMismatch="ACCEPT"/>
<PatternLayout pattern="%d %p [%c] - %m%n"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="300 MB"/>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
<CasAppender name="casAudit">
<AppenderRef ref="auditlogfile" />
</CasAppender>
...
</Appenders>
---END---
If I can figure out how to apply the filter to the Appender rather than the
Logger, I could write to two separate CAS audit log appenders, one that is
filtered ("casAudit") and one that is unfiltered ("casAuditVerbose").
In retrospect, I think we will be fine with simply having a single CAS audit
log, removing all "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries from it. But
I am mystified why the RegexFilter fails to perform any action when configured
with the Appender.
Carl
On Tuesday, January 28, 2020 at 3:03:07 PM UTC-5, rbon wrote:
Carl,
To change output of audit logging, you could override it with a custom
implementation,
https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
This describes modifying text but the process can be used to modify java
classes as well. But see,
https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog entry,
https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.
To hide log entries, you can use filters. For example:
<!-- DEBUG TGT and ST
on logout ST and service -->
<AsyncLogger name="org.apereo.cas.AbstractCentralAuthenticationService"
level="error" includeLocation="true">
<RegexFilter
regex="Publishing.*ticketGrantingTicket=.*serviceTicket=.*" onMismatch="DENY" />
</AsyncLogger>
See here for filter possibilities,
https://logging.apache.org/log4j/2.x/manual/filters.html
Ray
On Mon, 2020-01-27 at 14:22 -0800, crdaudt wrote:
In updating from CAS 5.x to CAS 6.1.x, I see that additional logging
information has been added to the cas_audit log, specifically, log entries that
include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED". We would either like to
reduce, the amount of information in these entries, or possibly even omit these
entries altogether. The reason is that the security groups listing for many of
our users results in rather large log entries. For example, my own entry for
""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an entry that is over 3,000
characters long.
Perhaps some of my ideas below are not very good ideas, and I am open to
perspective.
Idea 1: Is it possible to replace the logged results of the "memberOf" field
with ellipses, and if so, how?
-->I.e., change:
2020-01-27 15:56:06,835 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27
15:56:06 EST 2020|CAS|[result=Service Access
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
attributes={displayName=[Doe, John],
mail=[[email protected]<javascript:>],
memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security
Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty
Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu,
CN=securityGroup3,OU=Faculty Groups,OU=Security
Groups,DC=myADdomain,DC=myuniversity,DC=edu], sAMAccountName=[john_doe],
UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
-->Into something like this:
2020-01-27 15:56:06,835 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan 27
15:56:06 EST 2020|CAS|[result=Service Access
Granted,service=https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
attributes={displayName=[Doe, John],
mail=[[email protected]<javascript:>],
memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
Idea 2: Is it possible to omit the log entries for
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?
Idea 3: Is it possible to create two separate audit log files, one without the
"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this cas_audit.log) and
one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" (call this
cas_audit_log.verbose)? If so, how? In this case, I would likely gzip the
verbose logs relatively frequently.
I am open to other ideas as well.
Carl
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/32f7cebcb9f9403667e5812b05ae420d598bd7db.camel%40uvic.ca.
