Versions Compared

Old Version 18

changes.mady.by.user John Jellema

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

    • Logback system works in such away that the arrival of the first event after midnight will trigger a rollover, and if maxHistory has been specified the old files are deleted at that time

    • If no events are written to a particular log file rollover happens in restart when the appender is being started. In this case the old files are not deleted if you don’t add this definition to your logback configuration: <cleanHistoryOnStart>true</cleanHistoryOnStart>
      Example when password applications are not in use:

Expand
titleThe contents of the include-logback.xml file with explanations

Linux installation: /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/logging/include-logback.xml

Windows installation: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\logging\include-logback.xml

Each section of this file is explained below.

Code Block
  <!-- (1) Default levels for Diagnostic logs entry types -->
  <turboFilter class="com.ubisecure.common.logging.MarkerBasedLogFilter">
    <DefaultLevels>audit=info;tech=info;diag.*=info</DefaultLevels>
  </turboFilter>

  • SSO diagnostic log levels especially for the uas application can be set by entry types, see Diag log description

  • DefaultLevels element specifies the default levels for each entry type

  • Without this definition the default level is off

  • Default level can be overridden here or the level in use can be set via the management UI

  • Audit log is enabled by default

  • In order to enable Statistics log, DefaultLevels element values need to be modified

Code Block
  <!-- (2) Limit the amount of rotated files to be preserved. 
       Uncomment property and set the appropriate value if you desire this feature -->
  <!-- <property name="LOG_FILE_MAX_HISTORY" value="10" />  -->
  <!-- <property name="AUDIT_LOG_FILE_MAX_HISTORY" value="400" /> -->
  <!-- <property name="PASSWORD_AUDIT_LOG_FILE_MAX_HISTORY" value="400" /> -->

  • By default, log files are rotated on a daily basis and the old files are never deleted

  • By removing comment signs from these properties and specifying the amount of days you need to preserve, you can make logback to deleted delete the old files automatically

  • Property LOG_FILE_MAX_HISTORY applies to SSO diagnostics log (sso_diag.<YYYY-MM-DD>.log)

  • Property AUDIT_LOG_FILE_MAX_HISTORY applies to uas and SSO management (ubilogin) audit logs and statistics log (uas3_audit.<YYYY-MM-DD>.log, uas3_statistics.<YYYY-MM-DD>.log, management_audit.<YYYY-MM-DD>.log)

  • Property PASSWORD_AUDIT_LOG_FILE_MAX_HISTORY applies to password and password-reset audit log (password_audit.<YYYY-MM-DD>.log)

Code Block
  <!-- (3) SSO log format settings START -->
 

  <conversionRule conversionWord="diagex" converterClass="com.ubisecure.common.logging.LogExceptionConverter" />
  <conversionRule conversionWord="diagmarker" converterClass="com.ubisecure.common.logging.MarkerConverter" />



<conversionRule conversionWord="diagex" converterClass="com.ubisecure.common.logging.LogExceptionConverter" />
  <conversionRule conversionWord="diagmarker" converterClass="com.ubisecure.common.logging.MarkerConverter" />

  <if condition='property("LOG_CONTEXT").equalsIgnoreCase("sso-api")'>
    <then>
      <property name="DIAG_LOG_PATTERN" value="%d{'yyyy-MM-dd HH:mm:ss,SSS'} %property{LOG_CONTEXT} %diagmarker %level %X{remote-addr} %X{sub} %msg %diagex%nopex%n" />
    </then>
    <else>
      <property name="DIAG_LOG_PATTERN" value="%d{'yyyy-MM-dd HH:mm:ss,SSS'} %property{LOG_CONTEXT} %diagmarker %level %msg %diagex%nopex%n" />
    </else>
  </if>
  <property name="CONSOLE_LOG_PATTERN" value="${DIAG_LOG_PATTERN}" />
  <property name="FILE_LOG_PATTERN" value="${DIAG_LOG_PATTERN}" />
  <property name="AUDIT_FILE_LOG_PATTERN" value="&#34;%d{'yyyy-MM-dd HH:mm:ss,SSS'}&#34;,%msg%n" />
  <property name="MANAGEMENT_AUDIT_LOG_PATTERN" value="%d{'yyyy-MM-dd HH:mm:ss,SSS'} %msg %diagex%nopex%n" />
  <property name="PASSWORD_AUDIT_LOG_PATTERN" value="%msg %diagex%nopex%n" />
  
  <!-- (3) SSO log format settings END -->

  • Log format is specified for each logback appender with pattern properties

  • The format for file appenders are compatible with e.g. Logviewer

  • Diagnostic log pattern is the same for all web applications except sso-api has even more fields in it, the fields are:

    • date-timestamp

    • web application name e.g. uas, ubilogin, sso-api etc.

    • either the entry type (init, tech, method etc.) or fully qualified class name (e.g. com.ubisecure.saml2.metadata.URLMetadataLocator)

    • log level

    • sso-api only: remote IP address of the caller

    • sso-api only: authenticated user calling the API

    • log message

    • exception message

      • the full stack trace is printed only in case of debug level set to the entry type or fully qualified class name of this log event

      • full stack trace is printed always in case of a third party library logging an exception

  • Audit log patterns are compatible with previous releases

  • We don’t recommend you to modify these settings except CONSOLE_LOG_PATTERN can be altered if desired

Code Block
  <!-- (4) SSO log folder and base file name -->
  <property name="LOG_FOLDER" value="/usr/local/ubisecure/ubilogin-sso/ubilogin/logs" />
  <property name="SSO_LOG_FILE_PREFIX" value="${LOG_FOLDER}/sso" />
  <property name="UAS_LOG_FILE_PREFIX" value="${LOG_FOLDER}/uas3" />

  • Windows installation: <property name="LOG_FOLDER" value="C\:\\Program Files\\Ubisecure\\ubilogin-sso\\ubilogin/logs" />

  • These settings define the log folder which is set during the installation process (platform specific) and the log file base names

Code Block
  <!-- (5) SSO installation log appenders START -->
  <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
...
  </appender>

  <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
...
    <!-- <file>${SSO_LOG_FILE_PREFIX}_diag.log</file> -->
    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
      <fileNamePattern>${SSO_LOG_FILE_PREFIX}_diag.%d{yyyy-MM-dd}.log</fileNamePattern>
      <if condition='isDefined("LOG_FILE_MAX_HISTORY")'>
        <then>
          <maxHistory>${LOG_FILE_MAX_HISTORY}</maxHistory>
        </then>
      </if>
    </rollingPolicy>
  </appender>
...
  
  <!-- (5) SSO installation log appenders END -->

<!-- (6) SSO

  • The noteworthy thing with file appenders is that a time based rolling policy on daily basis has been defined like in the previous releases

  • Because the file element on top of the rollingPolicy element is commented out, also the current day's file has the date in its name (e.g. sso_diag.2022-11-25.log)

    • In linux systems it is possible to remove the comment signs from the file element and have the current day’s file without date in its name (e.g. sso_diag.log)

    • Only the files with the date in their names are visible in the Logviewer application

  • The maxHistory element is defined only if the respective property is set in the beginning of this configuration file

Code Block
Code Block
  <property name="PASSWORD_AUDIT_LOG_FILE_MAX_HISTORY" value="1" />
...  
  <appender name="PASSWORD_AUDIT_FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
...
    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
      <fileNamePattern>${LOG_FOLDER}/password_audit.%d{yyyy-MM-dd}.log</fileNamePattern>
      <cleanHistoryOnStart>true</cleanHistoryOnStart>
      <if condition='isDefined("PASSWORD_AUDIT_LOG_FILE_MAX_HISTORY")'>
        <then>
          <maxHistory>${PASSWORD_AUDIT_LOG_FILE_MAX_HISTORY}</maxHistory>
        </then>
      </if>
    </rollingPolicy>
  </appender>

Code Block
  <!-- (6) SSO management audit log. -->
  <!-- Set the level to INFO if you desire to have SSO Management audit file log -->
  <logger name="com.ubisecure.ubilogin.management" level="OFF">
    <appender-ref ref="MANAGEMENT_AUDIT_FILE" />
  </logger>

  • In order to activate Management audit log, the level attribute here must be set to INFO

  • If you are not interested in this feature, you may delete the whole section, as even if you have no events for them, these definitions will create empty files for each day when the system is restarted

Code Block
  <!-- (7) SSO SatuHetu log appender if needed START -->
  ...
  <!-- (7) SSO SatuHetu log appender if needed END -->

  • This section in relevant only if you utilise the SatuHetu utility.

Code Block
  <!-- (8) Syslog appenders if needed START -->
...
  <!-- (8) Syslog appenders if needed END -->

  • This section is used by Ubisecure’s Identity Cloud service and is not relevant for customer installations.

Code Block
  <!-- (9) Configure appenders for logging with default INFO level -->
  <root level="INFO">
    <appender-ref ref="CONSOLE" />
    <appender-ref ref="FILE" />
    <appender-ref ref="AUDIT_FILE" />
    <appender-ref ref="STATISTICS_FILE" />
    <appender-ref ref="PASSWORD_AUDIT_FILE" />
  </root>
...

  • In this section the default level INFO is specified for each appender

  • This means that the default logging level for all Java classes, implemented by Ubisecure or third parties, is INFO

  • If you don’t utilise console logging, you may remove CONSOLE appender from this list

  • If you don’t utilise file appenders, you may remove them from this list. Note: if you have no events for the file appenders they will still create empty files for each day when the system is restarted

  • You should keep at least FILE and AUDIT_FILE appenders here

Code Block
  <!-- (10) Customise log levels -->
  <!-- Some examples  -->
  <logger name="com.ubisecure.saml2.metadata.URLMetadataLocator" level="INFO" />

  • In this section you can override the default level INFO for any Java package or class

  • You can set a higher level in order to reduce logging

  • You can set a lower level when troubleshooting

...