How do I enable Access Logging for Crowd?
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Scenario
You wish to enable access logging for requests to Crowd. This can be useful when troubleshooting client access problems, or during security audits.
Resolution
According to CWD-5216 - Crowd access logs does not log the username, the %{X-AUSERNAME}o and %{X-AAPPNAME}o tokens are available in following versions of Crowd:
Crowd 3.7.x - not available
Crowd 4.0.x - available starting from 4.0.3
Crowd 4.1.x - available starting from 4.1.1
If you want to use %{X-AUSERNAME}o token you need to run Crowd with crowd.username.headersystem property set to true. It's set to false by default. When it's set to true Crowd will add X-AUSERNAME header to HTTP responses for all requests coming from authenticated user (including REST API). The value of this header will be the username of the authenticated user making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.
If you want to use %{X-AAPPNAME}o token you need to run Crowd with crowd.appname.header system property set to true. It's set to false by default. When it's set to true Crowd will add X-AAPPNAME header to HTTP responses for all REST requests coming from authenticated application. The value of this header will be the name of the authenticated application making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.
Please reference Configuring System Properties for adding the values mentioned above.
You will need to enable a Tomcat valve for requests to Crowd.
Add the following to the Engine element of Crowd's server.xml file. By default, this is located at <crowd-install>/apache-tomcat/conf/server.xml
1
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".log" pattern="%t %{User-Agent}i %h %m %r %b %s %I %{X-AUSERNAME}o %{X-AAPPNAME}o" />After restarting Crowd, access logs should be sent to a file named similar to what is specified; and based on the current date - for example localhost_access_log.2015-06-16.log.
They will be stored in the "logs" directory for Tomcat. By default, this is <crowd-install>/apache-tomcat/logs. Entries are based on the pattern attribute. The pattern in the above example provides:
Token | Value | Example Value |
|---|---|---|
| Time and Date |
|
| User Agent string from the incoming request |
|
| Remote Host - either an IPv6 or IPv4 address; depending on your network |
|
| Request Method |
|
| First line of the request method and request URI |
|
| Bytes sent, excluding the HTTP headers - will return '-' if zero. |
|
| HTTP status code of the response |
|
| Current request thread - this is useful in stack traces or logging |
|
| Username | charlie.smith |
| Application name (the application which makes requests to Crowd) | jira |
If all the IP addresses are from your reverse proxy or load balancer, you will need to add this extra value to your server.xml configuration. This requires that the IP address is sent through via the x-forwarded headers. Amazon's Elastic Load Balancer does this by default.
1
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />For more information, please see the "Access Log Valve Attributes" section of the Tomcat Documentation.
Was this helpful?