Logs

Presentation

Main settings:

  • REMOTE_USER: session attribute used for logging user access

  • REMOTE_CUSTOM: can be used for logging an another user attribute or a macro (optional)

  • Hidden attributes: session attributes never displayed or sent

LemonLDAP::NG provides 5 levels of error and has two kind of logs:

  • technical logs

  • user actions logs

Each category can be handle by a different logging framework. You can choose between:

  • Lemonldap::NG::Common::Logger::Std: standard output (mapped in web server logs, see below)

  • Lemonldap::NG::Common::Logger::Syslog: syslog logging

  • Lemonldap::NG::Common::Logger::Apache2: use Apache2 logging, levels are stored in Apache2 logs and the log level is defined by LogLevel Apache parameter

  • Lemonldap::NG::Common::Logger::Log4perl: use Log4perl framework to log (inspired by Java Log4J)

  • Lemonldap::NG::Common::Logger::Sentry (experimental): use Sentry to store logs

  • Lemonldap::NG::Common::Logger::Dispatch: dispatch logs in other backends depending on log level

Attention

Except for Apache2 and Log4Perl, log level is defined by logLevel parameter set in lemonldap-ng.ini file. Logger configurations are defined in lemonldap-ng.ini. Example:

[all]
logger     = Lemonldap::NG::Common::Logger::Log4perl
userLogger = Lemonldap::NG::Common::Logger::Syslog
logLevel   = notice

You can also modify these values in each lemonldap-ng.ini section to have different values for portal, manager and handlers.

Therefore, LLNG provides a username that can be used by webservers in their access log. To configure the user identifier to write into access logs, go into Manager, General Parameters > Logging > REMOTE_USER.

User log samples

Note

The user name set in user log messages is configured with whatToTrace parameter, except for messages corresponding to failed authentification, whe the user name logged is the login used by the user.

Authentication:

[notice] Session granted for dwho by LDAP (81.20.13.21)
[notice] User dwho.com successfully authenticated at level 2
[notice] dwho connected

Failed authentication:

[warn] foo.bar was not found in LDAP directory (81.20.13.21)
[warn] Bad password for dwho (81.20.13.21)

Failed authentication with Combination module:

[warn] All schemes failed for user dwho (81.20.13.21)

Logout:

[notice] User dwho has been disconnected from LDAP (81.20.13.21)

Password change:

[notice] Password changed for dwho (81.20.13.21)

Access to a CAS application non registered in configuration (when CAS server is open):

[notice] User dwho is redirected to https://cas.service.url

Access to a CAS application whose configuration key is app-example:

[notice] User dwho is authorized to access to app-example

Access to an SAML SP whose configuration key is sp-example:

[notice] User dwho is authorized to access to sp-example

Access to an OIDC RP whose configuration key is rp-example:

[notice] User dwho is authorized to access to rp-example

Access to a Get application whose vhost configuration key is host.example.com:

[notice] User dwho is authorized to access to host.example.com

Default loggers

  • Apache handlers use by default Apache2 logger. This logger can’t be used for other LLNG components

  • Except when launched by LLNG FastCGI server (used by Nginx), Portal and Manager use Std logger by default

  • All components launched by LLNG FastCGI server use Syslog by default

Log levels

Technical log levels

  • error is used for problems that must be reported to administrator and needs an action. In this case, some feature may not work

  • warn is used for problems that doesn’t block LLNG features but should be solved

  • notice is used for actions that must be kept in logs

  • info display some technical information

  • debug produce a lot a debugging logs

Log levels for user actions

  • error is used to log bad user actions that looks malicious

  • warn is used to log some errors like “bad password”

  • notice is used for actions that must be kept in logs for accounting (connections, logout)

  • info display some useful information like handler authorizations (at least 1 for each HTTP hit)

  • debug isn’t used

Logger configuration

Std logger

Nothing to configure except logLevel.

Apache2 logger

The log level can be set with Apache LogLevel parameter. It can be configured globally, or inside a virtual host.

See http://httpd.apache.org/docs/current/mod/core.html#loglevel for more information.

Syslog

You can choose facility in lemonldap-ng.ini file. Default values:

syslogFacility     = daemon
userSyslogFacility = auth

You can also override options. Default values:

syslogOptions      = cons,pid,ndelay
userSyslogOptions  = cons,pid,ndelay

Tip

You can find more information on Syslog options in Sys::Syslog Perl module.

Log4perl

You can indicate the Log4perl configuration file and the classes to use. Default values:

log4perlConfFile   = /etc/log4perl.conf
log4perlLogger     = LLNG
log4perlUserLogger = LLNG.user

Sentry

You just have to give your DSN:

sentryDsn = https://...

Attention

This experimental logger requires Sentry::Raven Perl module.

Dispatch

Use it to use more than one logger. Example:

logger               = Lemonldap::NG::Common::Logger::Dispatch
userLogger           = Lemonldap::NG::Common::Logger::Dispatch
logDispatchError     = Lemonldap::NG::Common::Logger::Sentry
logDispatchNotice    = Lemonldap::NG::Common::Logger::Syslog
userLogDispatchError = Lemonldap::NG::Common::Logger::Sentry
; Other parameters
syslogFacility    = daemon
sentryDsn         = https://...

Attention

At least logDispatchError (or userLogDispatchError for user logs) must be defined. All sub level will be dispatched on it, until another lever is declared. In the above example, Sentry collects error and warn levels and all user actions, while syslog stores technical notice, info and debug logs.