worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11340 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: aea7bdebe8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'aea7bdebe8'
${ noResults }
lemonldap-ng/doc/sources/admin/logs.rst

255 lines
6.6 KiB
Raw Blame History

Logs
====
Presentation
------------
Main settings:
- **REMOTE_USER** : session attribute used for logging user access
- **REMOTE_CUSTOM** : can be used for logging an another user attribute or a macro
(optional)
- **Hidden attributes** : session attributes never displayed or sent
LemonLDAP::NG provides 5 levels of error and has two kind of logs:
- technical logs
- user actions logs
Each category can be handle by a different logging framework. You can
choose between:
- **Lemonldap::NG::Common::Logger::Std**: standard output (mapped in
web server logs, see below)
- **Lemonldap::NG::Common::Logger::Syslog**: syslog logging
- **Lemonldap::NG::Common::Logger::Apache2**: use Apache2 logging,
levels are stored in Apache2 logs and the log level is defined by
``LogLevel`` Apache parameter
- **Lemonldap::NG::Common::Logger::Log4perl**: use ``Log4perl``
framework to log *(inspired by Java Log4J)*
- **Lemonldap::NG::Common::Logger::Sentry (experimental)**: use
`Sentry <https://sentry.io>`__ to store logs
- **Lemonldap::NG::Common::Logger::Dispatch**: dispatch logs in other
backends depending on log level
.. attention::
Except for Apache2 and Log4Perl, log level is defined
by ``logLevel`` parameter set in ``lemonldap-ng.ini`` file. Logger
configurations are defined in lemonldap-ng.ini. Example:
.. code-block:: ini
[all]
logger = Lemonldap::NG::Common::Logger::Log4perl
userLogger = Lemonldap::NG::Common::Logger::Syslog
logLevel = notice
You can also modify these values in each lemonldap-ng.ini section to
have different values for portal, manager and handlers.
Therefore, LLNG provides a username that can be used by webservers in
their access log. To configure the user identifier to write into access
logs, go into Manager, ``General Parameters`` > ``Logging`` >
``REMOTE_USER``.
User log samples
----------------
.. note::
The user name set in user log messages is configured with `whatToTrace` parameter, except
for messages corresponding to failed authentification, whe the user name logged is the
login used by the user.
Authentication:
::
[notice] Session granted for dwho by LDAP (81.20.13.21)
[notice] User dwho.com successfully authenticated at level 2
[notice] dwho connected
Failed authentication:
::
[warn] foo.bar was not found in LDAP directory (81.20.13.21)
[warn] Bad password for dwho (81.20.13.21)
Failed authentication with Combination module:
::
[warn] All schemes failed for user dwho (81.20.13.21)
Logout:
::
[notice] User dwho has been disconnected from LDAP (81.20.13.21)
Password change:
::
[notice] Password changed for dwho (81.20.13.21)
Access to a CAS application non registered in configuration (when CAS server is open):
::
[notice] User dwho is redirected to https://cas.service.url
Access to a CAS application whose configuration key is ``app-example``:
::
[notice] User dwho is authorized to access to app-example
Access to an SAML SP whose configuration key is ``sp-example``:
::
[notice] User dwho is authorized to access to sp-example
Access to an OIDC RP whose configuration key is ``rp-example``:
::
[notice] User dwho is authorized to access to rp-example
Access to a Get application whose vhost configuration key is ``host.example.com``:
::
[notice] User dwho is authorized to access to host.example.com
Default loggers
---------------
- Apache handlers use by default Apache2 logger. This logger can't be
used for other LLNG components
- Except when launched by LLNG FastCGI server *(used by Nginx)*, Portal
and Manager use Std logger by default
- All components launched by LLNG FastCGI server use Syslog by default
Log levels
----------
Technical log levels
~~~~~~~~~~~~~~~~~~~~
- **error** is used for problems that must be reported to administrator
and needs an action. In this case, some feature may not work
- **warn** is used for problems that doesn't block LLNG features but
should be solved
- **notice** is used for actions that must be kept in logs
- **info** display some technical information
- **debug** produce a lot a debugging logs
Log levels for user actions
~~~~~~~~~~~~~~~~~~~~~~~~~~~
- **error** is used to log bad user actions that looks malicious
- **warn** is used to log some errors like "bad password"
- **notice** is used for actions that must be kept in logs for
accounting (connections, logout)
- **info** display some useful information like handler authorizations
(at least 1 for each HTTP hit)
- **debug** isn't used
Logger configuration
--------------------
Std logger
~~~~~~~~~~
Nothing to configure except logLevel.
Apache2 logger
~~~~~~~~~~~~~~
The log level can be set with Apache ``LogLevel`` parameter. It can be
configured globally, or inside a virtual host.
See http://httpd.apache.org/docs/current/mod/core.html#loglevel for more
information.
Syslog
~~~~~~
You can choose facility in lemonldap-ng.ini file. Default values:
.. code-block:: ini
syslogFacility = daemon
userSyslogFacility = auth
You can also override options. Default values:
.. code-block:: ini
syslogOptions = cons,pid,ndelay
userSyslogOptions = cons,pid,ndelay
.. tip:: You can find more information on Syslog options in
`Sys::Syslog <https://metacpan.org/pod/Sys::Syslog>`__ Perl
module.
Log4perl
~~~~~~~~
You can indicate the Log4perl configuration file and the classes to use.
Default values:
.. code-block:: ini
log4perlConfFile = /etc/log4perl.conf
log4perlLogger = LLNG
log4perlUserLogger = LLNG.user
Sentry
~~~~~~
You just have to give your DSN:
.. code-block:: ini
sentryDsn = https://...
.. attention::
This experimental logger requires
`Sentry::Raven <https://metacpan.org/pod/Sentry::Raven>`__ Perl
module.
Dispatch
~~~~~~~~
Use it to use more than one logger. Example:
.. code-block:: ini
logger = Lemonldap::NG::Common::Logger::Dispatch
userLogger = Lemonldap::NG::Common::Logger::Dispatch
logDispatchError = Lemonldap::NG::Common::Logger::Sentry
logDispatchNotice = Lemonldap::NG::Common::Logger::Syslog
userLogDispatchError = Lemonldap::NG::Common::Logger::Sentry
; Other parameters
syslogFacility = daemon
sentryDsn = https://...
.. attention::
At least ``logDispatchError`` (or
``userLogDispatchError`` for user logs) must be defined. All sub level
will be dispatched on it, until another lever is declared. In the above
example, Sentry collects ``error`` and ``warn`` levels and all user
actions, while syslog stores technical ``notice``, ``info`` and
``debug`` logs.