FWIW, the underlying Inspektr's component that CAS uses for its slf4j audit events destination is extensible, and one could always plugin their own output formatting implementation to suit their needs:
https://github.com/Jasig/inspektr/blob/master/inspektr-audit/src/main/java/org/jasig/inspektr/audit/support/AbstractStringAuditTrailManager.java <https://github.com/Jasig/inspektr/blob/master/inspektr-audit/src/main/java/org/jasig/inspektr/audit/support/AbstractStringAuditTrailManager.java> Best, Dmitriy. > On Jul 17, 2015, at 9:12 AM, Marvin Addison <[email protected]> wrote: > > I recall having seen some discussion of CAS+Splunk in the past. We've been > ingesting all CAS logs into Splunk for over a year now and it's generally > awesome. We recently had a need to query for a list of services accessed by a > single user, and that turns out to be spectacularly difficult due to the > layout of the audit logs. The root problem is that the CAS audit log is a > record-oriented log (timestamp, what, principal, action,...), but the TGT > that could be used to correlate the service access events jumps around. In > the case of an authentication, where the user principal is logged, it's in > the "what" field. In the service ticket creation events, where you see the > service name in the "what" field, it appears in the "principal" field. That > precludes the use of the Splunk "transaction" command, which would make the > query trivial. > > Given the layout of CAS audit logs, has anyone accomplished this sort of > query? I think join with field renaming may be promising, but I am afraid the > performance may be so terrible it won't be feasible for any large time window. > > I don't know how popular Splunk is in the CAS community, but we might > consider some changes to the audit log format to facilitate "follow this > ticket" kind of queries. It could arguably have value beyond Splunk. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
