Audit log description - SSO
- ubisebastian
Introduction
Ubisecure SSO writes several distinct logs. This page describes the audit log. The audit log is written to files named according to the convention uas_audit.[date].log, where [date] is the current date formatted as YYYY-MM-DD.
General format
The log is written in Comma Separated Values-format (CSV). Each row represents one log entry. Values of entry are enclosed in quotation marks and are separated with commas. First value of each row is ISO8601-formatted timestamp. Second value is the client's ip-address. Third value represents the type of the log entry. Remaining values are type-dependent.
Timestamp | IP-address | Type | … | … |
General log entry format
Entry types
Possible log entry types are as follows: authentication method list, authentication method selected, login, invalid login, ticket granted, assertion received, access denied and logout.
Authentication method list
An authentication method list entry is logged when a user is shown the authentication method list.
Timestamp | IP-Address | "authentication method list" | Session identifier | Authentication request origin | User agent |
"Authentication method list"-entry format
Example:
"2003-08-25 12:57:02,622", "192.168.0.66", "authentication method list", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example ", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Authentication method selection
An authentication method selection entry is logged when a user selects an authentication method.
Timestamp | IP-Address | "authentication method selected" | Session identifier | Authentication method name | Autentication request origin | User agent |
"Authentication method selected"-entry format
Example:
"2003-08-25 12:57:44,449", "192.168.0.66", "authentication method selected", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "cn=service,ou=example,dc=example", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1 "
Login
A login entry is logged when a user is authenticated successfully.
Time | IP | "login" | Session identifier | Authentication identifier | Authentication method name | Ubisecure user identifier | Authentication method user identifier | Authentication request origin | 3rd party authentication identifier | User agent |
"Login"-entry format
Example:
"2003-08-25 12:58:07,250" ,"192.168.0.66" ,"login", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "tupas.1", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "010101+2221","cn=service,ou=example,dc=example","805485067", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Invalid login
An invalid login entry is logged when a user authentication fails.
Timestamp | IP-Address | "invalid login" | Session identifier | Authentication method name | Authentication method user identifier | Authentication request origin | Reason for failure | User agent |
"Invalid login"-entry format
Example:
"2003-08-25 12:57:55,144", "192.168.0.66", "invalid login", "dfff2af759817ce44c3d31654e1b573", "tupas.1", "Login cancelled", "cn=service,ou=example,dc=example", "tupas2_cancelled", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Ticket granted
A ticket granted entry is logged when a user is granted a ticket to a web application.
Timestamp | IP-Address | "ticket granted" | Session identifier | Authentication identifier | Authentication request origin | Redirect URL | Ubisecure user identifier | Web application user identifier | User agent |
"Ticket granted"-entry format
Example:
"2003-08-25 12:58:07,330", "192.168.0.66", "ticket granted", "dfff2af759817ce44c3d31654e1b573", "1dc4a5c9c4228be", "cn=service,ou=example,dc=example", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "uid=010101+2221,cn=tupas.1,cn=Server,ou=System,dc=example", "https://www.example.com", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Access denied
An access denied entry is logged when an authenticated user is denied access to a web application.
Timestamp | IP-Address | "access denied" | Session identifier | Authentication request origin | Reason of denial | User agent |
"Access denied"-entry format
Example:
"2003-08-26 13:50:39,244", "192.168.0.66", "access denied", "bb4d4463c8e45564e41cb62d734eee1b", "cn=Ubilogin,ou=System,dc=example", "No permission", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Assertion received
An assertion received entry is logged when an authentication assertion is received. (Exact attributes vary depending on the authentication method.)
Timestamp | IP-Address | "assertion received" | Session identifier | Authentication method | Authenticator identifier | Attributes | User agent |
"Assertion received"-entry format
Example:
"2011-10-12 09:06:38,294","195.197.205.34","assertionreceived", _"cabe0d9d07d42172a8e7af5de2425dca1c9154dc","saml.vetuma.1","MPL_fcfe337dd7b3-89fb9311-09f6-4876-9592-0c58a7e6e353-bccf3cb3304b","urn%3Aoid%3A2.5.4.3=NORDEA+%2F+DEMO&urn%3Aoid%3A1.2.246.21=210281-9988&urn%3Aoid%3A1.3.6.1.4.1.31350.1.11=https%3A%2F%2Fsolo3.nordea.fi%2Fcgi-bin%2FSOLO3011","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
Logout
A logout entry is logged when a user logs out from Ubisecure SSO.
Timestamp | IP-Address | "logout" | Session identifier | User agent |
"Logout"-entry format
Example:
"2003-08-25 12:58:08,993", "192.168.0.66", "logout", "dfff2af759817ce44c3d31654e1b573", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"