Cacti (home)ForumsDocumentation

idp audit log

type:
user_template_graph
usertemplate:
idp_audit_log
author:
jehan_procaccia
description:
Shibboleth IDP audit log
Cacti:
0.8.7g
date:
2012-05-10
includes:
yes
script:
Bash Script
templates:
idp shibboleth

Download

VersionFile
0.8.7gcacti-shibboleth-idp-stats.tgz

Introduction

This template is based on the IDP Audit Log Analysis Tool from the shibboleth 2.X loganalysis.py script https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+Audit+Log+Analysis+Tool This script parses the idp-audit.log and output a text formated stats for the whole audit log file. A slight modification has been added here (option -t) in order to get rrdtool formatted output. In order to get 5mn period stats for cacti, I prefix that script with a tac (cat in reverse !) on the log plus a awk parser to get only the timestamp logs from now to 5mn ago.

Installation

  1. Copy loganalysis.py parselog.awk runidpstats.sh to /usr/local/bin on the IDP server
  2. Enable SNMP for execution of the script on the IDP server: in snmpd.conf add
extend runidpstats.sh /usr/local/bin/runidpstats.sh
  1. Copy shibboleth-idp-stats.sh on the cacti server scripts dirtectory ($CACTI_HOME/scripts/)

and replace the -c “your_community_string” in there with your's snmp community: snmpwalk -v 2c -Ovq -c your_community_string $1 nsExtendOutputFull | grep -e rp

  1. From the cacti web console, Import the 2 templates files (cacti_*.xml) into Cacti by using the

“Import Templates” function in the console menu.

Screenshots

Usage

  1. Select your host from the device menu
  2. Select “Create Graphs for this Host”
  3. In the “Graph Templates” Box, choose “Shibboleth-idp-stats-gt” in the create drop down menu
  4. Wait 10 mn to get your graph up an running

Debug

1) first check locally on the IDP that logs are collected for the last 5mn by running the script

# /usr/local/bin/runidpstats.sh 
rp:1 l:3 u:1

or sequentially running the content of the script

/usr/bin/tac /opt/shibboleth-idp/logs/idp-audit.log | awk -f /usr/local/bin/parselog.awk |/usr/local/bin/loganalysis.py -t -
rp:1 l:3 u:1

you can also check the original use of loganalysis.py by runing with more standards output

# cat /opt/shibboleth-idp/logs/idp-audit.log |/usr/local/bin/loganalysis.py -cul -
1 unique relying party
1 unique userid
4 logins

2)Check the the cacti server can access the values from snmp

# snmpwalk  -v 2c -Ovq -c your_community_string idphost.domain.tl nsExtendOutputFull
rp:1 l:3 u:1

or for a full oid output

# snmpwalk  -v 2c -On -c your_community_string idphost.domain.tl nsExtendOutputFull
.1.3.6.1.4.1.8072.1.3.2.3.1.2.14.114.117.110.105.100.112.115.116.97.116.115.46.115.104

Caveats

on my idp server, whenever the idp-audit.log gets bigger, (above 100 lines which happens often !) there is a problem with /usr/bin/tac that breaks something

# snmpwalk  -v 2c -Ovq -c your_community_string idphost.domain.tl nsExtendOutputFull
/usr/bin/tac: write error: Broken pipe
rp:1 l:1 u:1

That's why the cacti scripts pipes the output to a “grep -e rp” in order to get only the 2nd line of the snmpwalk output

snmpwalk  -v 2c -Ovq -c your_community_string $1 nsExtendOutputFull | grep -e rp

Surely, that “hack” to get only the last 5mn of the idp-audit.log is not the best thing to do but it does the job !.

any contribution on that point will be greatly appreciated.






Personal Tools