Accounting Service logging - SSO
Accounting Service writes application log and audit log events.
NOTE: The basic logging configuration with a couple of settings exposed presumably satisfies your needs.
More advanced logging changes can be configured with Spring Boot Logging capabilities. In the default configuration Accounting Services utilises Logback (https://logback.qos.ch) with an embedded logback-spring.xml
configuration file.
Application log
Application log is configured to be written into console and file system. By default application log file is written to the accounting/logs
directory with file name ids-accounting.log
. Application log is rotated on a daily basis or if the file size grows to 100 MB. Old log files are automatically compressed. The maximum days of history to preserve is configured to 10 days but you can change it with logging.logback.rollingpolicy.max-history
setting in Accounting Service configuration.
The default logging level for application log is INFO but you can change it in the configuration before startup or even when the system is running with Accounting Service management actuator/loggers
endpoint.
Audit log
Audit log file is written by default to the accounting/logs
directory with file name ids-accounting_audit.log
. Audit log is rotated on a daily basis or if the file size grows to 100 MB. Old log files are automatically compressed. The maximum days of history to preserve is configured to 366 days but you can change it with ubisecure.ids.accounting.audit-log-max-history
setting in Accounting Service configuration.
Audit log pattern is defined to be in the CVS format and contain the following columns:
- timestamp for the log event
- log message: "Auth event" or "Resource access"
audit.username
: authenticated user name or ANONYMOUSaudit.resource
: the path that has been accessed, can be emptyaudit.status
: success or failureaudit.exception
: exception in case of failure
Sample audit log excerpt
The events annotated with a number e.g. (1) in the following sample are explained in the sections below it.
(1) "2019-02-28 13:07:48.857" "Auth event" "ANONYMOUS" "/actuator" "AUTHORIZATION_FAILURE" "AccessDeniedException: Access is denied" (2) "2019-02-28 13:08:10.308" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" "" (3) "2019-02-28 13:10:06.135" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" "" (4) "2019-02-28 13:12:00.085" "Auth event" "another" "" "AUTHENTICATION_FAILURE" "BadCredentialsException: Bad credentials" (5) "2019-02-28 13:12:19.563" "Auth event" "user" "" "AUTHENTICATION_FAILURE" "BadCredentialsException: Bad credentials" (6) "2019-02-28 13:12:39.638" "Auth event" "user" "" "AUTHENTICATION_SUCCESS" "" (7) "2019-02-28 13:14:38.066" "Auth event" "ANONYMOUS" "/accounting/report" "AUTHORIZATION_FAILURE" "AccessDeniedException: Access is denied" (8) "2019-02-28 13:15:36.946" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "" "AUTHENTICATION_SUCCESS" "" (9) "2019-02-28 13:15:37.440" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /accounting/report" "SUCCESS" "" (10) "2019-02-28 13:15:38.517" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/report" "AUTHORIZATION_SUCCESS" "" (11) "2019-02-28 13:15:38.543" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/report" "SUCCESS" "" (12) "2019-02-28 13:17:19.517" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /accounting/verify/events/2019-01-02" "SUCCESS" "" (13) "2019-02-28 13:17:30.461" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_SUCCESS" "" (14) "2019-02-28 13:17:30.534" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "SUCCESS" "" (15) "2019-02-28 13:35:41.058" "Auth event" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_SUCCESS" "" (16) "2019-02-28 13:35:41.068" "Resource access" "CN=Administrator,OU=System,CN=Ubilogin,DC=test" "GET /api/v1/accounting/verify/events/2019-01-02" "SUCCESS" "" (17) "2019-02-28 14:36:29.062" "Auth event" "" "GET /api/v1/accounting/verify/events/2019-01-02" "AUTHORIZATION_FAILURE" "OAuth2AuthenticationException: Access Token is not active."
Basic authentication events
(1) Challenge for HTTP Basic authentication protected endpoint /actuator
(2) Successful basic authentication for the /actuator
endpoint
(3) Another access for /actuator
endpoint - by design browser is sending the basic authentication data w/out requesting it from the end-user
(4) Access /actuator
endpoint with wrong user name
(5) Access /actuator
endpoint with wrong password
(6) Access /actuator
endpoint again with correct credentials
It is by design that we don't record resource access for these Spring framework provided management endpoints.
OAuth2 authentication events when user accesses client endpoint in the browser
(7) Challenge for OAuth2 client protected endpoint /accounting/repor
t
(8) Successful OAuth2 client authentication (with SSO OAuth2 authorization code grant)
(9) Successful resource access with authenticated user of endpoint /accounting/repor
t
(10) Successful authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/report
(with SSO OAuth2 token introspection)
(11) Successful resource access with authorised user in the token of endpoint /api/v1/accounting/report
(12) - (14) Another successful resource access for another OAuth2 client protected endpoint /accounting/verify/events/2019-01-02
when there is a valid session cookie in the browser, results in successful authorisation for endpoint /api/v1/accounting/verify/events/2019-01-02
 and successful resource access of this endpoint
OAuth2 authentication events when REST API endpoints are accessed
(15) Successful authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/verify/events/2019-01-02
(with SSO OAuth2 token introspection)
(16) Successful resource access with authorised user in the token of endpoint /api/v1/accounting/verify/events/2019-01-02
(17) Failed authorisation for the OAuth2 resource server protected endpoint /api/v1/accounting/verify/events/2019-01-02
(with SSO OAuth2 token introspection)