Skip to main content
Version: 4.25.x.x LTS

Logging configuration

The tracing facility of nevisAuth depends on the deployment "). Tracing is configured using the following command:

# nevisauth default config log

Automatic reloading of logging configuration

nevisAuth supports runtime reconfiguration of the logging subsystem in J2EE deployment with log4j. You start the automatic refresh deamon thread by properly configuring the following Java system:

-Dch.nevis.tracing.refresh=true

When set to "true", this will reload the configuration of log4j within seconds.

Logging layout patterns

The pattern of each in

<appender name="SERVER" class="org.apache.log4j.RollingFileAppender">
 <errorHandler class="org.apache.log4j.helpers.OnlyOnceErrorHandler"/>
 <param name="File" value="log/esauth4sv.log"/>
 <param name="Append" value="true"/>
 <param name="MaxFileSize" value="10MB"/>
 <param name="MaxBackupIndex" value="9"/>
 <layout class="org.apache.log4j.PatternLayout">
 <param name="ConversionPattern" value="%d{ISO8601} %-15.15t %12X{conversationId} %-20.20c %-5.5p %X{indent}%m%n"/>
 </layout>
</appender>

The above example will prefix log lines with (in that order):

  • a date/time timestamp (%d),
  • the thread name (%t),
  • the conversation ID (%X{conversationId}),
  • the trace group (%c)
  • the priority of the trace message (%p).

It will also indent traces (%X{indent}).

nevisAuth places several signature values in log4j's MDC context (J2EE deployment). The values can be accessed in the ConversionPattern using the %X{...} syntax:

  • clientAddress: Address (IP) of the client
  • clientId: ID of the client, as transmitted by nevisProxy
  • conversationId: Unique identifier of the authentication conversation
  • currentResource: URL of current request
  • resource: URL of original request that triggered the authentication operation
  • domain: Domain (Realm) of the authentication
  • indent: Indentation of the log message

Important trace groups

The following table lists the most important general trace groups, in combination with relevant debugging use cases:

Use caseJavaEE Server(log4j tracing)
Full trace analysis (debugging in test environment only)log4j.rootLogger=DEBUG, FILE
Operational analysis including overall processing duration and total memory usage (for production systems)log4j.logger.jcan.Op=INFO
Performance report, one per requestlog4j.logger.AuthPerf=INFO
Analyzing the state processing workflowlog4j.logger.AuthEngine=INFO
Analyzing the state processing workflow in detail (verbose)log4j.logger.AuthEngine=DEBUG
Variable and expression hand-linglog4j.logger.Vars=INFO
Periodic report ofsession management (for productive systems)log4j.logger.Store=Info
Analyzing session lifecycle in detail (verbose)log4j.logger.SessCoord=DEBUG
Auditing (should always be enabled)log4j.logger.AuthAudit=INFO

For processing details of the corresponding authentication plug-in, see the "Logging" section of the corresponding AuthState.Syslog

You may forward log messages to a local or remote syslog host by configuring a dedicated appender (in addition to the existing file appenders or by replacing them).

The original SyslogAppender delivered with log4j truncates messages (1024 bytes maximum length). This is due to the message size limit of 1024 bytes defined in RFC 3164.

As of RFC 5424 (obsoleting RFC 3164) syslog servers are usually able to receive messages with more than 1024 bytes and this limit can be ignored in most cases. To enable sending oversized syslog messages, nevisAuth comes with its own custom log4j appender, the NevisSyslogAppender, which disrespects the 1024 bytes limit. With the exception of the removed length limit checks, the NevisSyslogAppender is an exact copy of the official log4j SyslogAppender.

The NevisSyslogAppender can be configured via log4j configuration by defining an appender that references the class ch.nevis.commons.log4j.net.NevisSyslogAppender.

See the samle code below:

<appender
   class="ch.nevis.commons.log4j.net.NevisSyslogAppender"
   name="SYSLOG_AUDIT">
 <param
   name="SyslogHost"
   value="loghost.zh.adnovum.ch:514" />
 <param
   name="Facility"
   value="LOCAL3" />
 <param
   name="Threshold"
   value="INFO" />
 <layout
   class="org.apache.log4j.PatternLayout">
  <param
   name="ConversionPattern"
   value="nevisAuth/audit/authnb: %d{ISO8601} %15.15t %12X{conversationId}%X{transferId} %-20.20c %-5.5p %X{indent}%m%n" />
 </layout>
</appender>

<category
   additivity="false"
   name="ch.nevis.esauth.util.audit">
 <priority
   value="TRACE" />
 <appender-ref
   ref="AUDIT" />
 <appender-ref
   ref="SYSLOG_AUDIT" />
</category>