How do I enable Access Logging for Crowd?

Still need help?

The Atlassian Community is here for you.

Ask the community

Scenario

You wish to enable access logging for requests to Crowd. This can be useful when troubleshooting client access problems, or during security audits.

Resolution

According to CWD-5216 - Getting issue details... STATUS , the %{X-AUSERNAME}o and %{X-AAPPNAME}o tokens are available in following versions of Crowd:

Crowd 3.7.x - not available

Crowd 4.0.x - available starting from 4.0.3

Crowd 4.1.x - available starting from 4.1.1

If you want to use %{X-AUSERNAME}o token you need to run Crowd with crowd.username.header system property set to true. It's set to false by default. When it's set to true Crowd will add X-AUSERNAME header to HTTP responses for all requests coming from authenticated user (including REST API). The value of this header will be the username of the authenticated user making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.

If you want to use %{X-AAPPNAME}o token you need to run Crowd with crowd.appname.header system property set to true. It's set to false by default. When it's set to true Crowd will add X-AAPPNAME header to HTTP responses for all REST requests coming from authenticated application. The value of this header will be the name of the authenticated application making a request. This header is consumed by Tomcat's AccessLogValve by replacing the token with the actual value.

Please reference Configuring System Properties for adding the values mentioned above.


You will need to enable a Tomcat valve for requests to Crowd.

Add the following to the Engine element of Crowd's server.xml file. By default, this is located at <crowd-install>/apache-tomcat/conf/server.xml

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".log" pattern="%t %{User-Agent}i %h %m %r %b %s %I %{X-AUSERNAME}o %{X-AAPPNAME}o" />

After restarting Crowd, access logs should be sent to a file named similar to what is specified; and based on the current date - for example localhost_access_log.2015-06-16.log.

They will be stored in the "logs" directory for Tomcat. By default, this is <crowd-install>/apache-tomcat/logs. Entries are based on the pattern attribute. The pattern in the above example provides:

TokenValueExample Value
%tTime and Date[16/Jun/2015:14:34:40 +1000]
%{User-Agent}i
User Agent string from the incoming requestMozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
%h
Remote Host - either an IPv6 or IPv4 address; depending on your network

0:0:0:0:0:0:0:1 or 192.168.1.1

%m
Request MethodGET
%rFirst line of the request method and request URIGET /crowd/console/login.action;jsessionid=DA3065B254A4341F4DAF3AB1164772AB HTTP/1.1
%bBytes sent, excluding the HTTP headers - will return '-' if zero.1753
%sHTTP status code of the response200
%ICurrent request thread - this is useful in stack traces or logginghttp-bio-16280-exec-2
%{X-AUSERNAME}o
Usernamecharlie.smith
%{X-AAPPNAME}o
Application name (the application which makes requests to Crowd)jira


If all the IP addresses are from your reverse proxy or load balancer, you will need to add this extra Valve to your server.xml configuration. This requires that the IP address is sent through via the x-forwarded headers. Amazon's Elastic Load Balancer does this by default. This

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />


For more information, please see the "Access Log Valve Attributes" section of the Tomcat Documentation.

Last modified on Aug 20, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.