idp audit log
- type:
- user_template_graph
- usertemplate:
- idp_audit_log
- description:
- Shibboleth IDP audit log
- Cacti:
- 0.8.7g
- date:
- 2012-05-10
- email:
- jehan.procacciaATint-evry.fr
- includes:
- yes
- script:
- Bash Script
- templates:
- idp shibboleth
Download
Version | File |
---|---|
0.8.7g | cacti-shibboleth-idp-stats.tgz |
Introduction
This template is based on the IDP Audit Log Analysis Tool from the shibboleth 2.X loganalysis.py script https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+Audit+Log+Analysis+Tool This script parses the idp-audit.log and output a text formated stats for the whole audit log file. A slight modification has been added here (option -t) in order to get rrdtool formatted output. In order to get 5mn period stats for cacti, I prefix that script with a tac (cat in reverse !) on the log plus a awk parser to get only the timestamp logs from now to 5mn ago.
Installation
- Copy loganalysis.py parselog.awk runidpstats.sh to /usr/local/bin on the IDP server
- Enable SNMP for execution of the script on the IDP server: in snmpd.conf add
extend runidpstats.sh /usr/local/bin/runidpstats.sh
- Copy shibboleth-idp-stats.sh on the cacti server scripts dirtectory ($CACTI_HOME/scripts/)
and replace the -c “your_community_string” in there with your's snmp community: snmpwalk -v 2c -Ovq -c your_community_string $1 nsExtendOutputFull | grep -e rp
- From the cacti web console, Import the 2 templates files (cacti_*.xml) into Cacti by using the
“Import Templates” function in the console menu.
Screenshots
Usage
- Select your host from the device menu
- Select “Create Graphs for this Host”
- In the “Graph Templates” Box, choose “Shibboleth-idp-stats-gt” in the create drop down menu
- Wait 10 mn to get your graph up an running
Debug
1) first check locally on the IDP that logs are collected for the last 5mn by running the script
# /usr/local/bin/runidpstats.sh rp:1 l:3 u:1
or sequentially running the content of the script
/usr/bin/tac /opt/shibboleth-idp/logs/idp-audit.log | awk -f /usr/local/bin/parselog.awk |/usr/local/bin/loganalysis.py -t - rp:1 l:3 u:1
you can also check the original use of loganalysis.py by runing with more standards output
# cat /opt/shibboleth-idp/logs/idp-audit.log |/usr/local/bin/loganalysis.py -cul - 1 unique relying party 1 unique userid 4 logins
2)Check the the cacti server can access the values from snmp
# snmpwalk -v 2c -Ovq -c your_community_string idphost.domain.tl nsExtendOutputFull rp:1 l:3 u:1
or for a full oid output
# snmpwalk -v 2c -On -c your_community_string idphost.domain.tl nsExtendOutputFull .1.3.6.1.4.1.8072.1.3.2.3.1.2.14.114.117.110.105.100.112.115.116.97.116.115.46.115.104
Caveats
on my idp server, whenever the idp-audit.log gets bigger, (above 100 lines which happens often !) there is a problem with /usr/bin/tac that breaks something
# snmpwalk -v 2c -Ovq -c your_community_string idphost.domain.tl nsExtendOutputFull /usr/bin/tac: write error: Broken pipe rp:1 l:1 u:1
That's why the cacti scripts pipes the output to a “grep -e rp” in order to get only the 2nd line of the snmpwalk output
snmpwalk -v 2c -Ovq -c your_community_string $1 nsExtendOutputFull | grep -e rp
Surely, that “hack” to get only the last 5mn of the idp-audit.log is not the best thing to do but it does the job !.
any contribution on that point will be greatly appreciated.