[mitreid-connect] Audit logging?

Justin Richer jricher at mit.edu
Mon Feb 2 14:57:27 EST 2015


That's interesting, org.mitre should of course be configured separately 
but it should still be configurable. We have it set out of the box to 
the "INFO" logging level.

It also sounds like what you're after is more of a discrete event log as 
opposed to application processing. That aligns with the feature style 
that we had in mind too, so I think that we can pretty readily come up 
with a solution that fits both our use cases and have it (or at least 
the framework) be a part of 1.2.0.

I'll look into the CAS server you mentioned to see how they do it, but 
any information you can provide regarding what you like about it and 
not, I would appreciate learning from that perspective.

Thanks,
  -- Justin

On 2/2/2015 10:31 AM, Fredrik Jönsson wrote:
> I can get org.springframework output, but org.mitre is pretty much not logging anything at all, at any level.
>
> What I am primarily looking for is auditing from a Internet response team perspective, not application debugging. What we would need to be able to trace are typical authenticated actions (including Oauth clients), which in this case becomes pretty much who made what request with what result to most endpoints in the application.
>
> I don’t have an awful lot of experience on how to achieve it though. It is done reasonably well from our perspective in the Jasig CAS server, I’ll check how it is done and if it’s a pattern one would want to reuse.
>
> /Fredrik
>
>
>> 2 feb 2015 kl. 14:25 skrev Justin Richer <jricher at mit.edu>:
>>
>> We don't have a lot of formal audit logging built in to the system apart from the system logger, which is configurable with the log4j.xml file. We'd tried it with a previous version of the server (0.9 and 1.0) but it was applied inconsistently and not very useful, so we pulled it out for the latest stable release (1.1) so that we could re-think it and reintroduce it to the next version (1.2). Which is to say, it's on our to-do list for this version and we're open to ideas on how to implement a proper structured audit system. I believe it would be beneficial to coordinate our efforts so that the features and functionality you're after get included into the main project and you'll be able to deploy 1.2.0 without modification (beyond configuration) when it's released.
>>
>> -- Justin
>>
>> On 2/2/2015 5:50 AM, Fredrik Jönsson wrote:
>>> Hi,
>>>
>>> We are looking into MitreID Conncet and I’ve currently got a 1.2.0-SNAPSHOT server up and running with Active Directory integration for UserInfo and CAS authentication.
>>>
>>> So far so good.
>>>
>>> A question so far, has anyone implemented some reasonable level of audit logging for a production environment, and how? Any suggestions? Would like to modify the code as little as possible of course.
>>>
>>> Best regards,
>>> /Fredrik
>>>



More information about the mitreid-connect mailing list