Thanks Ray. The following log4j2.xml RegexFilter configuration worked for
me to eliminated all log entries with the specified string:
---BEGIN---
<Loggers>
...
<AsyncLogger name="org.apereo.inspektr.audit.support" level="info"
includeLocation="true" additivity="false">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*"
onMatch="DENY" onMismatch="ACCEPT"/>
<AppenderRef ref="casAudit"/>
</AsyncLogger>
...
</Loggers>
---END---
Oddly enough, I could not get the same RegexFilter to work with my Appender
(as you had suggested). The following RegexFilter string appears to be
ignored:
---BEGIN---
<Appenders>
...
<RollingFile name="auditlogfile"
fileName="${baseDir}/cas_audit.log" append="true"
filePattern="${baseDir}/cas_audit-%d{yyyy-MM-dd}-%i.log">
<RegexFilter regex=".*SERVICE_ACCESS_ENFORCEMENT_TRIGGERED.*"
onMatch="DENY" onMismatch="ACCEPT"/>
<PatternLayout pattern="%d %p [%c] - %m%n"/>
<Policies>
<OnStartupTriggeringPolicy />
<SizeBasedTriggeringPolicy size="300 MB"/>
<TimeBasedTriggeringPolicy />
</Policies>
</RollingFile>
<CasAppender name="casAudit">
<AppenderRef ref="auditlogfile" />
</CasAppender>
...
</Appenders>
---END---
If I can figure out how to apply the filter to the Appender rather than the
Logger, I could write to two separate CAS audit log appenders, one that is
filtered ("casAudit") and one that is unfiltered ("casAuditVerbose").
In retrospect, I think we will be fine with simply having a single CAS
audit log, removing all "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries from
it. But I am mystified why the RegexFilter fails to perform any action
when configured with the Appender.
Carl
On Tuesday, January 28, 2020 at 3:03:07 PM UTC-5, rbon wrote:
>
> Carl,
>
> To change output of audit logging, you could override it with a custom
> implementation,
> https://apereo.github.io/2019/01/07/cas61-gettingstarted-overlay/#overlay-customization.
>
> This describes modifying text but the process can be used to modify java
> classes as well. But see,
> https://apereo.github.io/2017/09/10/stop-writing-code/. The java blog
> entry, https://apereo.github.io/2018/04/01/cas-overlays-supercharged/.
>
> To hide log entries, you can use filters. For example:
>
> <!-- DEBUG TGT and ST
> on logout ST and service -->
> <AsyncLogger
> name="org.apereo.cas.AbstractCentralAuthenticationService" level="error"
> includeLocation="true">
> <RegexFilter
> regex="Publishing.*ticketGrantingTicket=.*serviceTicket=.*"
> onMismatch="DENY" />
> </AsyncLogger>
>
> See here for filter possibilities,
> https://logging.apache.org/log4j/2.x/manual/filters.html
>
> Ray
>
> On Mon, 2020-01-27 at 14:22 -0800, crdaudt wrote:
>
> In updating from CAS 5.x to CAS 6.1.x, I see that additional logging
> information has been added to the cas_audit log, specifically, log entries
> that include "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED". We would either like
> to reduce, the amount of information in these entries, or possibly even
> omit these entries altogether. The reason is that the security groups
> listing for many of our users results in rather large log entries. For
> example, my own entry for ""SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"" is an
> entry that is over 3,000 characters long.
>
> Perhaps some of my ideas below are not very good ideas, and I am open to
> perspective.
>
>
> Idea 1: Is it possible to replace the logged results of the "memberOf"
> field with ellipses, and if so, how?
>
> -->I.e., change:
> 2020-01-27 15:56:06,835 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan
> 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=
> https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
> attributes={displayName=[Doe, John], mail=[[email protected]
> <javascript:>], memberOf=[CN=securityGroup1,OU=Faculty Groups,OU=Security
> Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup2,OU=Faculty
> Groups,OU=Security
> Groups,DC=myADdomain,DC=myuniversity,DC=edu, CN=securityGroup3,OU=Faculty
> Groups,OU=Security Groups,DC=myADdomain,DC=myuniversity,DC=edu],
> sAMAccountName=[john_doe],
> UDC_IDENTIFIER=[john_doe]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
>
> -->Into something like this:
> 2020-01-27 15:56:06,835 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Jan
> 27 15:56:06 EST 2020|CAS|[result=Service Access Granted,service=
> https://my.casServer.edu/idp/Aut...,principal=SimplePrincipal(id=john_doe,
> attributes={displayName=[Doe, John], mail=[[email protected]
> <javascript:>],
> memberOf=[...]}),requiredAttributes={}]|SERVICE_ACCESS_ENFORCEMENT_TRIGGERED|audit:unknown|10.2.100.56
>
>
> Idea 2: Is it possible to omit the log entries for
> "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" altogether and if so, how?
>
>
> Idea 3: Is it possible to create two separate audit log files, one
> without the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED" entries (call this
> cas_audit.log) and one with the "SERVICE_ACCESS_ENFORCEMENT_TRIGGERED"
> (call this cas_audit_log.verbose)? If so, how? In this case, I would
> likely gzip the verbose logs relatively frequently.
>
>
> I am open to other ideas as well.
>
> Carl
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9544b8b-3b25-4032-990c-713dc70d9664%40apereo.org.
