This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:latest:logs [2012/04/18 22:15] external edit
documentation:latest:logs [2019/08/21 22:01] (current)
Line 1: Line 1:
 ====== Logs ====== ====== Logs ======
-===== Apache ​logging ​=====+**REMOTE_USER** : session attribute used for logging ​user access.
-By default, ​LemonLDAP::​NG ​uses Apache ​logs to store user actions and other messages+**REMOTE_CUSTOM** : can be used for logging a second user attribute (optionnal) 
-  * Error log: all messages emitted ​by the programdepending on the configured ​log level + 
-  * Access ​log: the issuer of each request ​is identified+**Hidden attributes** : session attributes never displayed or sent 
 +LemonLDAP::​NG ​provides 5 levels of error and has two kind of logs
 +  * technical logs 
 +  * user actions ​logs 
 +Each category can be handle by a different logging framework. You can choose between: 
 +  * **Lemonldap::​NG::​Common::​Logger::​Std**:​ standard output (mapped in web server logs, see below) 
 +  * **Lemonldap::​NG::​Common::​Logger::​Syslog**:​ syslog logging 
 +  * **Lemonldap::​NG::​Common::​Logger::​Apache2**:​ use Apache2 logging, levels are stored in Apache2 logs and the log level is defined by ''​LogLevel''​ Apache parameter 
 +  * **Lemonldap::​NG::​Common::​Logger::​Log4perl**:​ use ''​Log4perl''​ framework to log //(inspired by Java Log4J)// 
 +  * **Lemonldap::​NG::​Common::​Logger::​Sentry //​(experimental)//​**:​ use [[https://​sentry.io|Sentry]] to store logs 
 +  * **Lemonldap::​NG::​Common::​Logger::​Dispatch**:​ dispatch logs in other backends depending on log level 
 +<note important>​ 
 +Except for Apache2 and Log4Perl, log level is defined by ''​logLevel''​ parameter set in ''​lemonldap-ng.ini''​ file. Logger configurations are defined in lemonldap-ng.ini. 
 +<file ini> 
 +logger ​    = Lemonldap::​NG::​Common::​Logger::​Log4perl 
 +userLogger = Lemonldap::​NG::​Common::​Logger::​Syslog 
 +logLevel ​  = notice 
 +You can also modify these values in each lemonldap-ng.ini section to have different values for portal, manager and handlers. 
 +Therefore, LLNG provides a username that can be used by webservers in their access log. To configure ​the user identifier to write into access logsgo into Manager, ''​General Parameters''​ > ''​Logging''​ > ''​REMOTE_USER''​. 
 +===== Default loggers ===== 
 +  * Apache handlers use by default Apache2 logger. This logger can't be used for other LLNG components 
 +  * Except when launched by LLNG FastCGI server //(used by Nginx)//, Portal and Manager use Std logger by default 
 +  * All components launched by LLNG FastCGI server use Syslog by default 
 +===== Log levels ===== 
 +==== Technical ​log levels ==== 
 +  * **error** is used for problems that must be reported to administrator and needs an action. In this case, some feature may not work 
 +  * **warn** is used for problems that doesn'​t block LLNG features but should be solved 
 +  * **notice** is used for actions that must be kept in logs 
 +  * **info** display some technical information 
 +  * **debug** produce a lot a debugging logs 
 +==== Log levels for user actions ==== 
 +  * **error** is used to log bad user actions that looks malicious 
 +  * **warn** ​is used to log some errors like "bad password"​ 
 +  * **notice** is used for actions that must be kept in logs for accounting (connections,​ logout) 
 +  * **info** display some useful information like handler authorizations (at least 1 for each HTTP hit) 
 +  * **debug** isn't used 
 +===== Logger configuration ===== 
 +==== Std logger ==== 
 +Nothing to configure except logLevel. 
 +==== Apache2 logger ====
 The log level can be set with Apache ''​LogLevel''​ parameter. It can be configured globally, or inside a virtual host. The log level can be set with Apache ''​LogLevel''​ parameter. It can be configured globally, or inside a virtual host.
-See [[http://​httpd.apache.org/​docs/​2.2/​mod/​core.html#​loglevel]] for more information.+See [[http://​httpd.apache.org/​docs/​current/​mod/​core.html#​loglevel]] for more information.
-To configure the user identifier in access log, go in Manager, ''​General Parameters''​ > ''​Logging''​ > ''​REMOTE_USER''​.+==== Syslog ====
-===== Syslog =====+You can choose facility in lemonldap-ng.ini file. Default values:
-LemonLDAP::​NG can also use syslog (only for user actions).+<file ini> 
 +syslogFacility ​    = daemon 
 +userSyslogFacility = auth 
-In Manager, set syslog facility in ''​General Parameters''​ > ''​Logging''​ > ''​Syslog facility''​.+==== Log4perl ====
-The messages are stored with the levels ​: +You can indicate ​the Log4perl configuration file and the classes to use. Default values:
-  * **info** for user actions +
-  * **notice** for good authentications or external exchange (SAML, OpenID,​...) +
-  * **warn** for failed authentications+
-===== Override logging functions =====+<file ini> 
 +log4perlConfFile ​  /​etc/​log4perl.conf 
 +log4perlLogger ​    LLNG 
 +log4perlUserLogger ​LLNG.user 
-You can customize logs by redefining userNotice() and userError() methods, directly in ''​lemonldap-ng.ini''​+==== Sentry ====
-Example:+You just have to give your DSN: 
 +<file ini> 
 +sentryDsn = https://​... 
 +<note important>​This experimental logger requires [[https://​metacpan.org/​pod/​Sentry::​Raven|Sentry::​Raven]] Perl module.</​note>​ 
 +==== Dispatch ==== 
 +Use it to use more than one logger. ​Example:
 <file ini> <file ini>
-[portal] +logger ​              = Lemonldap::​NG::​Common::​Logger::​Dispatch 
-userError ​sub { my ($self, $message) ​@_; ... } +userLogger ​          Lemonldap::​NG::​Common::​Logger::​Dispatch 
-userNotice ​sub { my ($self, $message) ​@_; ... }+logDispatchError ​    Lemonldap::​NG::​Common::​Logger::​Sentry 
 +logDispatchNotice ​   ​Lemonldap::​NG::​Common::​Logger::​Syslog 
 +userLogDispatchError ​Lemonldap::​NG::​Common::​Logger::​Sentry 
 +Other parameters 
 +syslogFacility ​   = daemon 
 +sentryDsn ​        = https://...
 </​file>​ </​file>​
 +<note important>​At least ''​logDispatchError''​ //(or ''​userLogDispatchError''​ for user logs)// must be defined. All sub level will be dispatched on it, until another lever is declared. In the above example, Sentry collects ''​error''​ and ''​warn''​ levels and all user actions, while syslog stores technical ''​notice'',​ ''​info''​ and ''​debug''​ logs.</​note>​