Enterprise Single Sign-On for All

Logging

CAS provides a logging facility that logs important informational events like authentication success and failure; it can be customized to produce additional information for troubleshooting. CAS uses the Slf4J Logging framework as a facade for the Log4J engine by default.

The default log4j configuration file is located in src/main/resources/log4j2.xml. By default logging is set to INFO for all functionality related to org.apereo.cas code. For debugging and diagnostic purposes you may want to set these levels to DEBUG.

Production

You should always run everything under WARN. In production warnings and errors are things you care about. Everything else is just diagnostics. Only turn up DEBUG or INFO if you need to research a particular issue.

Configuration

It is often time helpful to externalize the log4j2.xml file to a system path to preserve settings between upgrades. The location of log4j2.xml file by default is on the runtime classpath and can be controlled via the CAS properties. To see the relevant list of CAS properties, please review this guide.

Monitoring Logs

To review log settings and output, you may also use the CAS administration panels.

Log Levels

While log levels can directly be massaged via the native log4j2.xml syntax, they may also be modified using the usual CAS properties. To see the relevant list of CAS properties, please review this guide.

Refresh Interval

The log4j2.xml itself controls the refresh interval of the logging configuration. Log4j has the ability to automatically detect changes to the configuration file and reconfigure itself. If the monitorInterval attribute is specified on the configuration element and is set to a non-zero value then the file will be checked the next time a log event is evaluated and/or logged and the monitorInterval has elapsed since the last check. This will allow you to adjust the log levels and configuration without restarting the server environment.

1
2
3
4
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="15" ...>
        ...
</Configuration>

Log Patterns

By default most appenders that are provided via the log4j2.xml file use pattern-based layouts to format log messages. The following alternative layouts may also be used:

Layout Description
CsvParameterLayout Converts an event’s parameters into a CSV record, ignoring the message.
GelfLayout Lays out events in the Graylog Extended Log Format (GELF).
HTMLLayout Generates an HTML page and adds each LogEvent to a row in a table
JSONLayout Creates log events in well-formed or fragmented JSON.
PatternLayout Formats the log even based on a conversion pattern.
RFC5424Layout Formats log events in accordance with RFC 5424, the enhanced Syslog specification.
SerializedLayout Log events are transformed into byte arrays useful in JMS or socket connections.
SyslogLayout Formats log events as BSD Syslog records.
XMLLayout Creates log events in well-formed or fragmented XML.
YamlLayout Creates log events in YAML.

To learn more about nuances and configuration settings for each, please refer to the official Log4J guides.

Log File Rotation

The default configuration specifies triggering policies for rolling over logs, at startup, size or at specific times. These policies apply to RollingFile appenders.

For example, the following XML fragment defines policies that rollover the log when the JVM starts, when the log size reaches 10 megabytes, and when the current date no longer matches the log’s start date.

1
2
3
4
5
6
7
8
9
10
<RollingFile name="file" fileName="${baseDir}/cas.log" append="true"
                    filePattern="${baseDir}/cas-%d{yyyy-MM-dd-HH}-%i.log">
    ...
    <Policies>
        <OnStartupTriggeringPolicy />
        <SizeBasedTriggeringPolicy size="10 MB"/>
        <TimeBasedTriggeringPolicy />
    </Policies>
    ...
</RollingFile>

The triggering policies determines if a rollover should be performed and rollover strategy can also be design to indicate how that should be done. If no strategy is configured, the default will be used.

To find more a comprehensive documentation, please review the guides here.

Rollover Strategy

Customized rollover strategies provide a delete action that gives users more control over what files are deleted at rollover time than what was possible with the DefaultRolloverStrategy max attribute. The delete action lets users configure one or more conditions that select the files to delete relative to a base directory.

For example, the following appender at rollover time deletes all files under the base directory that match the */*.log glob and are 7 days old or older.

1
2
3
4
5
6
7
8
9
10
11
<RollingFile name="file" fileName="${baseDir}/cas.log" append="true"
             filePattern="${baseDir}/cas-%d{yyyy-MM-dd-HH}-%i.log">
    ...
    <DefaultRolloverStrategy max="5">
        <Delete basePath="${baseDir}" maxDepth="2">
            <IfFileName glob="*/*.log" />
            <IfLastModified age="7d" />
        </Delete>
    </DefaultRolloverStrategy>
    ...
</RollingFile>

To find more a comprehensive documentation, please review the guides here.

Log Data Sanitation

For security purposes, CAS by default will attempt to remove TGT and PGT ids from all log data. This will of course include messages that are routed to a log destination by the logging framework as well as all audit messages. A sample follows below:

1
2
3
4
5
6
7
WHO: audit:unknown
WHAT: TGT-******************123456-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Sat Jul 12 04:10:35 PDT 2014
CLIENT IP ADDRESS: ...
SERVER IP ADDRESS: ...

Certain number of characters are left at the trailing end of the ticket id to assist with troubleshooting and diagnostics.

To see the relevant list of CAS properties, please review this guide.

Routing Logs to Sentry

Log data can be automatically routed to and integrated with Sentry to track and monitor CAS events and errors.

Routing Logs to Papertrail

Papertrail is a cloud-based log management service that provides aggregated logging tools, flexible system groups, team-wide access, long-term archives, charts and analytics exports, monitoring webhooks and more.

See this guide for more info.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...
<Appenders>
    <Syslog name="Papertrail"
            host="<host>.papertrailapp.com"
            port="XXXXX"
            protocol="TCP" appName="MyApp" mdcId="mdc"
            facility="LOCAL0" enterpriseNumber="18060" newLine="true"
            format="RFC5424" ignoreExceptions="false" exceptionPattern="%throwable{full}">
    </Syslog>
</Appenders>
...
<Loggers>
    <Root level="INFO">
        <AppenderRef ref="Papertrail" />
    </Root>
</Loggers>

Routing Logs to Loggly

Loggly is a cloud-based log management service that makes it easy to access and analyze the mission-critical information within your logs. Log data can be automatically routed to Loggly via Rsyslog. The advantage of using Rsyslog is that it can send TCP events without blocking your application, can optionally encrypt the data, and even queue data to add robustness to network failure.

See this guide for more info.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
...
<Appenders>
    <Socket name="Loggly" host="localhost" port="514" protocol="UDP">
        <PatternLayout>
        <pattern>${hostName} java %d{yyyy-MM-dd HH:mm:ss,SSS}{GMT} %p %t
            %c %M - %m%n</pattern>
        </PatternLayout>
    </Socket>
</Appenders>
...
<Loggers>
    <Root level="INFO">
        <AppenderRef ref="Loggly" />
    </Root>
</Loggers>

Routing Logs to CloudWatch

Log data can be automatically routed to AWS CloudWatch. Support is enabled by including the following module in the overlay:

1
2
3
4
5
<dependency>
     <groupId>org.apereo.cas</groupId>
     <artifactId>cas-server-core-logging-config-cloudwatch</artifactId>
     <version>${cas.version}</version>
</dependency>

With the above module, you may then declare a specific appender to communicate with AWS CloudWatch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<CloudWatchAppender name="cloudWatch"
                    awsLogGroupName="LogGroupName"
                    awsLogStreamName="LogStreamName"
                    awsLogRegionName="us-west-1"
                    credentialAccessKey="..."
                    credentialSecretKey="..."
                    awsLogStreamFlushPeriodInSeconds="5">
    <PatternLayout>
        <Pattern>%5p | %d{ISO8601}{UTC} | %t | %C | %M:%L | %m %ex %n</Pattern>
    </PatternLayout>
</CloudWatchAppender>
...
<AsyncLogger name="org.apereo" additivity="true" level="debug">
    <appender-ref ref="cloudWatch" />
</AsyncLogger>

The AWS credentials for access key, secret key and region, if left undefined, may also be retrieved from system properties via AWS_ACCESS_KEY, AWS_SECRET_KEY and AWS_REGION_NAME. The group name as well as the stream name are automatically created by CAS, if they are not already found.

Routing Logs to Logstash

CAS logging framework has the ability route log messages to a TCP/UDP endpoint. This configuration assumes that the Logstash server has enabled its TCP input on port 9500:

1
2
3
4
5
6
7
8
9
10
11
12
13
...
<Appenders>
    <Socket name="socket" host="localhost" connectTimeoutMillis="3000"
            port="9500" protocol="TCP" ignoreExceptions="false">
      <SerializedLayout />
    </Socket>
</Appenders>
...
<AsyncLogger name="org.apereo" additivity="true" level="debug">
    <appender-ref ref="cas" />
    <appender-ref ref="socket" />
</AsyncLogger>

Routing Logs to SysLog

CAS logging framework does have the ability to route messages to an external syslog instance. To configure this, you first to configure the SysLogAppender and then specify which messages needs to be routed over to this instance:

1
2
3
4
5
6
7
8
9
10
11
12
13
...
<Appenders>
    <Syslog name="SYSLOG" format="RFC5424" host="localhost" port="8514"
            protocol="TCP" appName="MyApp" includeMDC="true"
            facility="LOCAL0" enterpriseNumber="18060" newLine="true"
            messageId="Audit" id="App"/>
</Appenders>
...
<AsyncLogger name="org.apereo" additivity="true" level="debug">
    <appender-ref ref="cas" />
    <appender-ref ref="SYSLOG" />
</AsyncLogger>

You can also configure the remote destination output over SSL and specify the related keystore configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
...

<Appenders>
    <TLSSyslog name="bsd" host="localhost" port="6514">
      <SSL>
        <KeyStore location="log4j2-keystore.jks" password="changeme"/>
        <TrustStore location="truststore.jks" password="changeme"/>
      </SSL>
    </TLSSyslog>
</Appenders>

...

Mapped Diagnostic Context

To uniquely stamp each request, CAS puts contextual information into the MDC, the abbreviation of Mapped Diagnostic Context. This effectively translates to a number of special variables available to the logging context that may convey additional information about the nature of the request or the authentication event.

Variable Description
remoteAddress Remote address of the HTTP request.
remoteUser Remote user of the HTTP request.
serverName Server name of the HTTP request.
serverPort Server port of the HTTP request.
locale Locale of the HTTP request.
contentType Content type of the HTTP request.
contextPath Context path of the HTTP request.
localAddress Local address of the HTTP request.
localPort Local port of the HTTP request.
remotePort Remote port of the HTTP request.
pathInfo Path information of the HTTP request.
protocol Protocol of the HTTP request.
authType Authentication type of the HTTP request.
method Method of the HTTP request.
queryString Query string of the HTTP request.
requestUri Request URI of the HTTP request.
scheme Scheme of the HTTP request.
timezone Timezone of the HTTP request.
principal CAS authenticated principal id.

Additionally, all available request attributes and parameters are exposed as variables.

The above variables may be used in logging patterns:

  • Use %X by itself to include all variables.
  • Use %X{key} to include the specified variable.
1
2
3
<Console name="console" target="SYSTEM_OUT">
    <PatternLayout pattern="%X{locale} %d %p [%c] - &lt;%m&gt;%n"/>
</Console>