How do I enable Access Logging for Crowd?
シナリオ
You wish to enable access logging for requests to Crowd. This can be useful when troubleshooting client access problems, or during security audits.
ソリューション
According to CWD-5216 - Getting issue details... STATUS , the %{X-AUSERNAME}o and %{X-AAPPNAME}o tokens are available in following versions of Crowd:
Crowd 3.7.x - not available
Crowd 4.0.x - available starting from 4.0.3
Crowd 4.1.x - available starting from 4.1.1
If you want to use %{X-AUSERNAME}o token you need to run Crowd with crowd.username.header system property set to true. It's set to false by default. When it's set to true Crowd will add X-AUSERNAME header to HTTP responses for all requests coming from authenticated user (including REST API). The value of this header will be the username of the authenticated user making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.
If you want to use %{X-AAPPNAME}o token you need to run Crowd with crowd.appname.header system property set to true. It's set to false by default. When it's set to true Crowd will add X-AAPPNAME header to HTTP responses for all REST requests coming from authenticated application. The value of this header will be the name of the authenticated application making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.
Please reference Configuring System Properties for adding the values mentioned above.
You will need to enable a Tomcat valve for requests to Crowd.
Add the following to the Engine element of Crowd's server.xml file. By default, this is located at <crowd-install>/apache-tomcat/conf/server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".log" pattern="%t %{User-Agent}i %h %m %r %b %s %I %{X-AUSERNAME}o %{X-AAPPNAME}o" />After restarting Crowd, access logs should be sent to a file named similar to what is specified; and based on the current date - for example localhost_access_log.2015-06-16.log.
They will be stored in the "logs" directory for Tomcat. By default, this is <crowd-install>/apache-tomcat/logs. Entries are based on the pattern attribute. The pattern in the above example provides:
| トークン | 値 | Example Value |
|---|---|---|
%t | Time and Date | [16/Jun/2015:14:34:40 +1000] |
%{User-Agent}i | User Agent string from the incoming request | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0 |
%h | Remote Host - either an IPv6 or IPv4 address; depending on your network |
|
%m | リクエスト メソッド | GET |
%r | First line of the request method and request URI | GET /crowd/console/login.action;jsessionid=DA3065B254A4341F4DAF3AB1164772AB HTTP/1.1 |
%b | Bytes sent, excluding the HTTP headers - will return '-' if zero. | 1753 |
%s | 応答の HTTP ステータス コード | 200 |
%I | Current request thread - this is useful in stack traces or logging | http-bio-16280-exec-2 |
%{X-AUSERNAME}o | ユーザ名 | charlie.smith |
%{X-AAPPNAME}o | Application name (the application which makes requests to Crowd) | jira |
If all the IP addresses are from your reverse proxy or load balancer, you will need to add this extra value to your server.xml configuration. This requires that the IP address is sent through via the x-forwarded headers. Amazon's Elastic Load Balancer does this by default.
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />For more information, please see the "Access Log Valve Attributes" section of the Tomcat Documentation.