Event logging

Event logging has the purpose to track users throughout the authentication process. The authentication log can be used to conduct audits. It is important to define the granularity of the logged actions small enough to be able to determine precisely what path the user followed during his session at the OpenASelect Server. The actions to be logged must be determined beforehand and chosen wisely since these actions cannot be reproduced after an incident has taken place, which is usually the case with the system logging.

Purpose

The purpose of authentication logging is to log user behavior throughout the system. The resulting logs should be used to provide useful information to the administrator, when an audit is required.

Logging details

The authentication log should only contain truly important events (you have to keep audit trails for a long time, and debug or informational messages are wasteful). The audit trail should contain all phases of the authentication session.

The authentication logging should be logged centrally. Ensure that audit logs are sent to trusted systems, via a trusted and secure channel.

In order to ensure that the logging is useful and can be linked to other events, the following scheme is used:

  • Timestamp
    • Can be used to determine the sequence in which a user’s actions have taken place.
  • Session ID
    • The value that identifies the user session. All actions of a certain user can be linked by referencing to the session id.
  • Ticket Granting Ticket (TGT) ID
    • The value that identifies the user TGT. All actions of a certain user can be linked by referencing to the TGT.
  • Session state
    • The state of the authentication session
  • User IP address
  • User name
  • User authentication profile
  • Requestor
    • The id of the requestor which initiated the authentication
  • Event
    • The event that occurred
  • Event detail
    • Optional details of the event which can be event specific
  • Authority
    • Unique name of the components that perform event logging

Authorities

Authentication steps should only be logged at the point that the authentication state changes. As not all classes are supposed to change this state, not all classes are supposed to write authentication log information. Classes that change authentication state are denoted 'Authentication Authorities'. Authentication Authority classes must implement the IAuthority interface and accordingly, implement the getAuthority method, thereby returning the type of authority they represent.

New authorities should be added with great caution. Usually, only the managing classes are considered the real authorities, since these are in charge of changing the state.

Usually, the authority name is somewhat equal to the class name. The prefix determines the position in the authentication process, the remainder represents the role the component plays in that part of the process.

The event logger and event log items

The event logger is used for the actual event logging. The event logger is capable of logging the following EventLogItems:

  • UserEventLogItem
  • RequestorEventLogItem

Code example

Log eventLogger = LogFactory.getLog(Engine.EVENT_LOGGER);
eventLogger.info(new UserEventLogItem(oSession.getId(),oTgt.getId(), 
   SessionState.USER_LOGGED_OUT, 
   UserEvent.USER_LOGGED_OUT, 
   (user != null) ? user.getID() : null, 
  oRequest.getRemoteAddr(), null, this, null));

Documentation

OpenASelect Server

Overview

Features

Interconnectivity

Guide & References

Developers

OpenASelect

Integrators

Discussion

Browse source

Tickets

Downloads

 
© Alfa & Ariss B.V. All rights reserved | Privacy | Disclaimer | Contact