Table of Contents
...
General log entry format:
| Timestamp | IP-address | Type | ... |
Where fields are:
| Field Name | Description |
|---|---|
| Timestamp | Time when event occurred. ISO8601-formatted timestamp. |
| IP-address | IP Address of user client / IP Address of user client, proxy IPs |
| Type | Type of event |
Entry types
There are currently ten possible log entry types: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied, logout, consent confirmed and consent rejected. Each of these will be detailed with example content for each field in the listing below.
...
"Authentication method list" - entry format:
| Field Name | Timestamp | IP-address | "authentication method list" | Session ID | Authentication Request O rigin | User Agent |
|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "authentication method list" | "dfff2af759817ce44c3d31654e1b573" | "cn=service,ou=example,dc=example " | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
...
"Authentication method selected" - entry format:
| Field Name | Timestamp | IP-address | "authentication method selected" | Session ID | Authentication Method | Authentication Request Origin | User Agent |
|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:57:44,449" | "192.168.0.66" | "authentication method selected" | "dfff2af759817ce44c3d31654e1b573" | "tupas.1" | "cn=service,ou=example,dc=example" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 " |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | The name of the selected authentication method. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 " |
...
A login entry is generated when a user has authenticated successfully. In SSO, this may occur several times during the same session.
"Login" - entry format:
| Field Name | Timestamp | IP-address | "login" | Session ID | Authentication ID | Authentication Method | Ubisecure User ID | Authentication Method User ID | Authentication Request Origin | 3rd Party Authentication ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:58:07,250" | "192.168.0.66" | "login" | "dfff2af759817ce44c3d31654e1b573" | "1dc4a5c9c4228be" | "tupas.1" | "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example" | "010101+2221" | "cn=service,ou=example,dc=example" | "805485067" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Method | Name of the used authentication method. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| 3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
...
"invalid login" - entry format:
| Field Name | Timestamp | IP-address | "invalid login" | Session ID | Authentication Method | Authentication Method User ID | Authentication Request Origin | Reason For Failure | User Agent |
|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2020-05-29 08:50:01,090" | "172.27.0.1" | "invalid login" | "_e89ac671b7b5ec6a2fce69664f9eaca390a916a4" | "password.1" | "exampeUser" | "cn=Ubilogin,ou=System,cn=Ubilogin,dc=test" | "The user was not found" | "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | Name of the used authentication method. |
| Authentication Method User ID | Authentication Method User ID value is dependant on used authentication method:
|
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Reason for Failure | Reason for login failure. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2020-05-29 08:50:01,090","172.27.0.1","invalid login","_e89ac671b7b5ec6a2fce69664f9eaca390a916a4","password.1","exampeUser","cn=Ubilogin,ou=System,cn=Ubilogin,dc=test","The user was not found","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" |
...
"Ticket granted"-entry format:
| Field Name | Timestamp | IP-Address | "ticket granted" | Session ID | Authentication ID | Authentication Request Origin | Redirect URL | Ubisecure User ID | Web Application User ID | User Agent |
|---|---|---|---|---|---|---|---|---|---|---|
| Example Values | "2020-05-27 13:30:02,547" | "192.168.0.66" | "ticket granted" | "_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c" | "4955a04e12589570" | "cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test" | "https://www.example.com/" | "CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test" | "stephen.butterworth@example.org" | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Redirect URL | The URL to forward the user to after the authentication flow has been completed. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2020-05-27 13:30:02,547","192.168.0.66","ticket granted","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","https://www.example.com/","CN=Stephen Butterworth,OU=Example,CN=Ubilogin,DC=test","stephen.butterworth@example.org","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" |
...
"Access denied" - entry format:
| Field Name | Timestamp | IP-Address | "access denied" | Session ID | Authentication Request Origin | Reason of Denial | User Agent |
|---|---|---|---|---|---|---|---|
| Example Values | "2003-08-26 13:50:39,244" | "192.168.0.66" | "access denied" | "bb4d4463c8e45564e41cb62d734eee1b" | "cn=Ubilogin,ou=System,dc=example" | "No permission" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Reason of Denial | Reason for access denial. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
...
"Assertion received"-entry format:
| Field Name | Timestamp | IP-Address | "assertion received" | Session ID | Authentication Method | Authenticator ID | Attributes | User Agent |
|---|---|---|---|---|---|---|---|---|
| Example Values | "2011-10-12 09:06:38,294" | "195.197.205.34" | "assertionreceived" | "cabe0d9d07d42172a8e7af5de2425dca1c9154dc" | "saml.vetuma.1" | "MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b" | "urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011" | "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Method | Name of the used authentication method. |
| 3rd Party Authentication ID | Identifier of the authentication event, which can be specified by the 3rd party identity provider. If the 3rd party identity provider doesn't specify an identifier, then SSO generates a random string and uses it as the value instead. Some authentication methods which set the Authenticator ID:
|
| Attributes | Attributes configured to be shown in Audit Log. See more at: Logging attributes to audit log |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" |
...
A logout entry is generated when a user logs out from Ubisecure SSO.
"Logout" - entry format:
| Field Name | Timestamp | IP-Address | "logout" | Session ID | User Agent |
|---|---|---|---|---|---|
| Example Values | "2003-08-25 12:58:08,993" | "192.168.0.66" | "logout" | "dfff2af759817ce44c3d31654e1b573" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
...
"Consent confirmed"-entry format
| Field name | Timestamp | IP-Address | Entry type | Session ID | Authentication ID | Authentication Request Origin | Scopes | Audiences | Ubisecure User ID | Web Application User ID | User agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "consent confirmed" | "dfff2af759817ce44c3d31654e1b573" | "73b678dd2c736959" | "cn=service,ou=example,dc=example" | "scope1 scope2" | "client.id.1 client.id.2" | "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example" | "mappedUsername" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Scopes | Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account. An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of the requested scopes are then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column using a space as the delimiter between each scope. |
| Audiences | Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2020-05-27 13:30:02,439","0:0:0:0:0:0:0:1","consent confirmed","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","4955a04e12589570","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" |
...
"Consent rejected"-entry format
| Field name | Timestamp | IP-Address | Entry type | Session ID | Authentication ID | Authentication Request Origin | Scopes | Audiences | Ubisecure User ID | Web Application User ID | User agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "consent rejected" | "dfff2af759817ce44c3d31654e1b573" | "73b678dd2c736959" | "cn=service,ou=example,dc=example" | "scope1 scope2" | "client.id.1 client.id.2" | "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example" | "mappedUsername" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication ID | Identifier generated by SSO for an authentication within the single sign-on session. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Scopes | Scopes are relevant only for OAuth2 applications including OpenID Connect. Each scope defines a set of user attributes in the user's account, An application can request one or more scopes from which SSO derives the valid scopes that can be granted. The name of those scopes are then presented to the user in the consent screen, which in this case the user rejects. In the audit log only the scopes mapped with the authorization policy to user attributes are listed in this column with space as the delimiter. |
| Audiences | Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with its client ID in SSO the IDs of those applications are listed in this column with space as the delimiter. |
| Ubisecure User ID | Unique identifier for the user For users that are registered in an LDAP directory, this is their LDAP name. For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method. For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
| Code Block | ||
|---|---|---|
| ||
"2020-05-27 13:29:46,547","0:0:0:0:0:0:0:1","consent rejected","_11a098a6b573f8eb8e57a0bdd04ac784a9337b4c","73b678dd2c736959","cn=client1,ou=OIDC-testing,ou=System,cn=Ubilogin,dc=test","name","","cn=Administrator,ou=System,cn=Ubilogin,dc=test","","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" |
Configuring via logback.xml file (SSO >= 9.
...
1)
The logback.xml file is located in ubilogin customization directory (ubilogin-sso/ubilogin/custom/logging/logback.xml) and contains the configuration of all SSO logging. Learn about Logback configuration file syntax.
Audit log is enabled by default in the turboFilter <DefaultLevels> configuration as its level is set to INFO:
| Code Block |
|---|
<configuration>
<turboFilter class="com.ubisecure.common.logging.MarkerBasedLogFilter">
<DefaultLevels>audit=info;tech=info;diag.*=info</DefaultLevels>
</turboFilter>
...
</configuration> |
The pattern and appender configuration for this logger is configured by default to:
| Code Block |
|---|
<configuration>
...
<property name="AUDIT_FILE_LOG_PATTERN"
value=""%d{'yyyy-MM-dd HH:mm:ss,SSS'}",%msg%n" />
...
<appender name="AUDIT_FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
...
</filter>
<encoder>
<pattern>${AUDIT_FILE_LOG_PATTERN}</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${UAS_LOG_FILE}_audit.%d{yyyy-MM-dd}.log</fileNamePattern>
...
</rollingPolicy>
</appender>
...
</configuration> |
More examples of Logback configuration can be found in Diag log description section.