Logs ==== Presentation ------------ Main settings: - **REMOTE_USER**: session attribute used for logging user access - **REMOTE_CUSTOM**: can be used for logging an another user attribute or a macro (optional) - **Hidden attributes**: session attributes never displayed or sent LemonLDAP::NG provides 5 levels of error and has two kind of logs: - technical logs - user actions logs Each category can be handle by a different logging framework. You can choose between: - **Lemonldap::NG::Common::Logger::Std**: standard output (mapped in web server logs, see below) - **Lemonldap::NG::Common::Logger::Syslog**: syslog logging - **Lemonldap::NG::Common::Logger::Apache2**: use Apache2 logging, levels are stored in Apache2 logs and the log level is defined by ``LogLevel`` Apache parameter - **Lemonldap::NG::Common::Logger::Log4perl**: use ``Log4perl`` framework to log *(inspired by Java Log4J)* - **Lemonldap::NG::Common::Logger::Sentry (experimental)**: use `Sentry `__ to store logs - **Lemonldap::NG::Common::Logger::Dispatch**: dispatch logs in other backends depending on log level .. attention:: Except for Apache2 and Log4Perl, log level is defined by ``logLevel`` parameter set in ``lemonldap-ng.ini`` file. Logger configurations are defined in lemonldap-ng.ini. Example: .. code-block:: ini [all] logger = Lemonldap::NG::Common::Logger::Log4perl userLogger = Lemonldap::NG::Common::Logger::Syslog logLevel = notice You can also modify these values in each lemonldap-ng.ini section to have different values for portal, manager and handlers. Therefore, LLNG provides a username that can be used by webservers in their access log. To configure the user identifier to write into access logs, go into Manager, ``General Parameters`` > ``Logging`` > ``REMOTE_USER``. User log samples ---------------- .. note:: The user name set in user log messages is configured with `whatToTrace` parameter, except for messages corresponding to failed authentification, whe the user name logged is the login used by the user. Authentication: :: [notice] Session granted for dwho by LDAP (81.20.13.21) [notice] User dwho.com successfully authenticated at level 2 [notice] dwho connected Failed authentication: :: [warn] foo.bar was not found in LDAP directory (81.20.13.21) [warn] Bad password for dwho (81.20.13.21) Failed authentication with Combination module: :: [warn] All schemes failed for user dwho (81.20.13.21) Logout: :: [notice] User dwho has been disconnected from LDAP (81.20.13.21) Password change: :: [notice] Password changed for dwho (81.20.13.21) Access to a CAS application non registered in configuration (when CAS server is open): :: [notice] User dwho is redirected to https://cas.service.url Access to a CAS application whose configuration key is ``app-example``: :: [notice] User dwho is authorized to access to app-example Access to an SAML SP whose configuration key is ``sp-example``: :: [notice] User dwho is authorized to access to sp-example Access to an OIDC RP whose configuration key is ``rp-example``: :: [notice] User dwho is authorized to access to rp-example Access to a Get application whose vhost configuration key is ``host.example.com``: :: [notice] User dwho is authorized to access to host.example.com Default loggers --------------- - Apache handlers use by default Apache2 logger. This logger can't be used for other LLNG components - Except when launched by LLNG FastCGI server *(used by Nginx)*, Portal and Manager use Std logger by default - All components launched by LLNG FastCGI server use Syslog by default Log levels ---------- Technical log levels ~~~~~~~~~~~~~~~~~~~~ - **error** is used for problems that must be reported to administrator and needs an action. In this case, some feature may not work - **warn** is used for problems that doesn't block LLNG features but should be solved - **notice** is used for actions that must be kept in logs - **info** display some technical information - **debug** produce a lot a debugging logs Log levels for user actions ~~~~~~~~~~~~~~~~~~~~~~~~~~~ - **error** is used to log bad user actions that looks malicious - **warn** is used to log some errors like "bad password" - **notice** is used for actions that must be kept in logs for accounting (connections, logout) - **info** display some useful information like handler authorizations (at least 1 for each HTTP hit) - **debug** isn't used Logger configuration -------------------- Std logger ~~~~~~~~~~ Nothing to configure except logLevel. Apache2 logger ~~~~~~~~~~~~~~ The log level can be set with Apache ``LogLevel`` parameter. It can be configured globally, or inside a virtual host. See http://httpd.apache.org/docs/current/mod/core.html#loglevel for more information. Syslog ~~~~~~ You can choose facility in lemonldap-ng.ini file. Default values: .. code-block:: ini syslogFacility = daemon userSyslogFacility = auth You can also override options. Default values: .. code-block:: ini syslogOptions = cons,pid,ndelay userSyslogOptions = cons,pid,ndelay .. tip:: You can find more information on Syslog options in `Sys::Syslog `__ Perl module. Log4perl ~~~~~~~~ You can indicate the Log4perl configuration file and the classes to use. Default values: .. code-block:: ini log4perlConfFile = /etc/log4perl.conf log4perlLogger = LLNG log4perlUserLogger = LLNG.user Sentry ~~~~~~ You just have to give your DSN: .. code-block:: ini sentryDsn = https://... .. attention:: This experimental logger requires `Sentry::Raven `__ Perl module. Dispatch ~~~~~~~~ Use it to use more than one logger. Example: .. code-block:: ini logger = Lemonldap::NG::Common::Logger::Dispatch userLogger = Lemonldap::NG::Common::Logger::Dispatch logDispatchError = Lemonldap::NG::Common::Logger::Sentry logDispatchNotice = Lemonldap::NG::Common::Logger::Syslog userLogDispatchError = Lemonldap::NG::Common::Logger::Sentry ; Other parameters syslogFacility = daemon sentryDsn = https://... .. attention:: At least ``logDispatchError`` (or ``userLogDispatchError`` for user logs) must be defined. All sub level will be dispatched on it, until another lever is declared. In the above example, Sentry collects ``error`` and ``warn`` levels and all user actions, while syslog stores technical ``notice``, ``info`` and ``debug`` logs.