Accounting Service logging - SSO

Accounting Service writes application log and audit log events.

Application log

Application log is configured to be written into console and file system. By default application log file is written to the accounting/logs directory with file name ids-accounting.log. Application log is rotated on a daily basis or if the file size grows to 100 MB. Old log files are automatically compressed. The maximum days of history to preserve is configured to 10 days but you can change it with logging.logback.rollingpolicy.max-history setting in Accounting Service configuration.

The default logging level for application log is INFO but you can change it in the configuration before startup or even when the system is running with Accounting Service management actuator/loggers endpoint.

Audit log

Audit log file is written by default to the accounting/logs directory with file name ids-accounting_audit.log. Audit log is rotated on a daily basis or if the file size grows to 100 MB. Old log files are automatically compressed. The maximum days of history to preserve is configured to 366 days but you can change it with ubisecure.ids.accounting.audit-log-max-history setting in Accounting Service configuration.

Audit log pattern is defined to be in the CVS format and contain the following columns:

• timestamp for the log event
• log message: "Auth event" or "Resource access"
• audit.username: authenticated user name or ANONYMOUS
• audit.resource: the path that has been accessed, can be empty
• audit.status: success or failure
• audit.exception: exception in case of failure

Sample audit log excerpt

The events annotated with a number e.g. (1) in the following sample are explained in the sections below it.

 (1) "2019-02-28 13:07:48.857" "Auth event" "ANONYMOUS" "/actuator" "AUTHORIZATION_FAILURE" "AccessDeniedException: Access is denied" 
 (2) "2019-02-28 13:08:10.308" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" "" 
 (3) "2019-02-28 13:10:06.135" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" ""
 (4) "2019-02-28 13:12:00.085" "Auth event" "another" "" "AUTHENTICATION_FAILURE" "BadCredentialsException: Bad credentials" 
 (5) "2019-02-28 13:12:19.563" "Auth event" "user" "" "AUTHENTICATION_FAILURE" "BadCredentialsException: Bad credentials" 
 (6) "2019-02-28 13:12:39.638" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" "" 
 (7) "2019-02-28 13:14:38.066" "Auth event" "ANONYMOUS" "/accounting/report" "AUTHORIZATION_FAILURE" "AccessDeniedException: Access is denied" 
 (8) "2019-02-28 13:15:36.946" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "" "AUTHENTICATION_SUCCESS" "" 
 (9) "2019-02-28 13:15:37.440" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /accounting/report" "SUCCESS" "" 
(10) "2019-02-28 13:15:38.517" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/report" "AUTHORIZATION_SUCCESS" "" 
(11) "2019-02-28 13:15:38.543" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/report" "SUCCESS" "" 
(12) "2019-02-28 13:17:19.517" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /accounting/verify/events/2019-01-02" "SUCCESS" "" 
(13) "2019-02-28 13:17:30.461" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_SUCCESS" "" 
(14) "2019-02-28 13:17:30.534" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "SUCCESS" "" 
(15) "2019-02-28 13:35:41.058" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_SUCCESS" "" 
(16) "2019-02-28 13:35:41.068" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "SUCCESS" "" 
(17) "2019-02-28 14:36:29.062" "Auth event" "" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_FAILURE" "OAuth2AuthenticationException: Access Token is not active." 

Basic authentication events

(1) Challenge for HTTP Basic authentication protected endpoint /actuator

(2) Successful basic authentication for the /actuator endpoint

(3) Another access for /actuator endpoint - by design browser is sending the basic authentication data w/out requesting it from the end-user

(4) Access /actuator endpoint with wrong user name

(5) Access /actuator endpoint with wrong password

(6) Access /actuator endpoint again with correct credentials

It is by design that we don't record resource access for these Spring framework provided management endpoints.

OAuth2 authentication events when user accesses client endpoint in the browser

(7) Challenge for OAuth2 client protected endpoint /accounting/report

(8) Successful OAuth2 client authentication (with SSO OAuth2 authorization code grant)

(9) Successful resource access with authenticated user of endpoint /accounting/report

(10) Successful authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/report (with SSO OAuth2 token introspection)

(11) Successful resource access with authorised user in the token of endpoint /api/v1/accounting/report

(12) - (14) Another successful resource access for another OAuth2 client protected endpoint /accounting/verify/events/2019-01-02 when there is a valid session cookie in the browser, results in successful authorisation for  endpoint /api/v1/accounting/verify/events/2019-01-02  and successful resource access of this endpoint

OAuth2 authentication events when REST API endpoints are accessed

(15) Successful authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/verify/events/2019-01-02 (with SSO OAuth2 token introspection)

(16) Successful resource access with authorised user in the token of endpoint /api/v1/accounting/verify/events/2019-01-02

(17) Failed authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/verify/events/2019-01-02 (with SSO OAuth2 token introspection)