I want to log the scim requests (success,failure) that are coming to the wso2/idp server. I followed the [https://docs.wso2.com/display/IS530/Logging+Claims+in+Audit+Logs] but the repository\logs\audit.log still does not contains any extra records except for a single line for the day:
'admin#carbon.super [-1234]' logged in at [2019-09-17 10:45:23 ......
I also added the following to the in the identity.xml in the hope of something getting logged..
http://wso2.org/claims/username
http://wso2.org/claims/userid
http://wso2.org/claims/country
http://wso2.org/claims/fullname
http://wso2.org/claims/identity/failedLoginAttempts
http://wso2.org/claims/displayName
But yet, no scim requests are getting logged. My scim requests are all working without any issues, except for the logging.
curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215
For your use case, I think you need to log the user operations that are coming in to Identity Server. You can do it by writing a user operation event listener, you have to extend the org.wso2.carbon.user.core.common.AbstractUserOperationEventListener class and override the methods you need to add functionality. You can override all methods of the class and simply added audit logs for them to identify the user and the particular operation he is performing. The audit logs are printed in SERVER_HOME/repository/logs/audit.log file.
Please refer the following for more details:
http://www.securityinternal.com/2016/08/user-operation-event-listener-in-wso2.html
http://www.securityinternal.com/2016/08/writing-user-operation-event-listener.html
https://github.com/thariyarox/sample-user-operation-event-listener-print-audit-logs
https://medium.com/#inthiraj1994/user-operation-event-listener-for-wso2-server-8ce4765b8c95
If your requirement is to get the scim logs to audit log file add the following config to
{IS-HOME}/repository/conf/log4j.properties
log4j.logger.org.wso2.carbon.identity.scim=DEBUG
edit the threshold value of Appender config to AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.wso2.carbon.utils.logging.appenders.CarbonDailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p {%c}- %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%#%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=DEBUG
log4j.additivity.AUDIT_LOG=false
Related
I configured my cluster in AWS for WSO2 API Manager, with load balancers for each section: The store, the publisher, the gateway managers and the gateway workers.
However, when I try to log into the Store, the Publisher or Carbon, with the correct username and password, I get the following error in the logs:
ARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted
(user:<anonymous>, ip:10.0.1.125, method:HEAD, uri:/carbon/admin/login.jsp,
error:required token is missing from the request)
That's all the information the log gives me, and I know for sure the user/pass is correct. Why can't I log in?
I only posted this question for share the answer, because I couldn't find anything about it on Google.
My problem was that the load balancer was configure to distribute the requests evenly among it's instances. So, when I tried to log in, the request always was sent to a different node, which by definition is a CSRF attack.
As soon as I allowed those requests to be sticky, so a login request from a node goes to itself, the log in works.
I understand that WSO2 API Manager provides features to configure logging/tracing of incoming request.
Is there a way to generate custom logs, which captures the following :-
URL of the services invoked.
Request parameters - JSON.
Time of the request.
We only intend to make a record of all the request made to our services. Please help.
Following are two options you can use
Add log mediator to log message. You can create a custom sequence and deploy that mediator. Logs will be in wso2carbon.log
Read the http_access logs. Http access logs are written in /repository/logs location. It contains the request, access time, etc.
I am trying to set up a cluster for WSO2 api manager and I am following https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0
I am using seperate VMs for each of the component and currently in my setup I am able to
Publish an api using the publisher which gets published in the Gateway (Visible in the log)
Subscribe to this API from the store and generate keys
However when I am trying to access this api using the generated key I get the following response
<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode xmlns:axis2ns2="http://schemas.xmlsoap.org/soap/envelope/">axis2ns2:Client</faultcode>
<faultstring>Authentication Failure</faultstring>
<detail>Error while accessing backend services for API key validation</detail>
</soapenv:Fault>
In the gateway logs I can see only the below line. There is no further details in the logs
TID: [-1234] [] [2016-02-02 16:55:58,288] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticat
ionHandler} - API authentication failure due to Unclassified Authentication Failure {org.wso2.carbon.apimgt.gat
eway.handlers.security.APIAuthenticationHandler}
Please help me to resolve this issue.
That sounds like an issue with your API - API Manager doesn't actually "authenticate anything" unless you are using identity server see here for the difference between authentication and authorization (what WSO2 does through Oauth). Please try an API that is know to work such as http://petstore.swagger.io/ and report back the error.
This can happen due to many reason. Please check some of the reasons below
Key Manager's public certificate isn'y properly imported in the <GATEWAY_HOME>/repository/resources/security/client-truststore.jks
Open the api-manager.xml fie of the gateway and key manager nodes and change the <KeyValidatorClientType> to WSClient as bellow (default value is ThriftClient).
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
The reason for this could be a result of misconfiguration between nodes. First you can double check the configurations (specially keyvalidator related configurations)
If you could not find any issue there, then you can enable debug logs and get some idea about the issue
add following entires in repository/conf/log4j.properties in gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
add following entires in repository/conf/log4j.properties in key manager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
You might be able to find the issue by analyzing the logs
Having WSO2 IS 5.0.0.SP1 backed by PostgreSQL there is another application reading user information using the SCIM service (filter=userNameEq...)
All works but after certain time the service returns "User is not authorized.." response with a single ERROR level log line. Since that moment all subsequent calls fail with "404 User is not authorized". Even when I log in using the admin account I have no access rights. This state takes for a few minutes and then all seems working again.
We traced the response message to the SCIM service implementation where the authorization is checked. However we are unable to find the root cause of the issue (suspecting some exception is qietly dropped, cache cleanup cleans more than it should, ...)
Any hint / idea is appreciated.
Carpe diem
Gabriel
This seems to be authorization issue. If after trying 3 fail login attempt user locked 0-minutes(Most user used 05 minutes). This is default settings of fresh WSO2 IS pack. After the configured locked-time user unlocked. Then the user have a login with valid credentials. If you need, you can change the login attempt,locked time.Please check [IS_HOME]/repository/conf/security/identity-mgt.properties file. It's having the all configuration.
Issue is resolved (or - reason is identified in another system). In the AD tree one of the domain controllers is external (cloud) and unable to authenticate the technical (wso2) datastore user. When the AD node hostname is resolved to the cloud node, then ldapsearch is unable to return any groups from a sub-domain of the cloud based domain controller (interesting - it doesn't fail).
I have deployed two WSO2IS servers in cluster, the deployment seems to be working fine as the answer to the requests made are consitents and all the policy stuff is working.
But I get the same error for every request I make, which Im unable to find out the real meaning, if this is a normal behaviour or on the contrary, there is something wrong Im missing.
As you can see, first I get the "WARNING: Illegal acces attempt.." followed by a successful login with the default user (ADmin)...
[2014-04-14 12:57:36,293] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2014-04-14 12:57:36,0292]
from IP address 10.6.10.11 while trying to authenticate access to service EntitlementService
[2014-04-14 12:57:36,423] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2014-04-14 12:5
7:36,423+0200]
I would appreciate your help,
Thanks in advance,
Jorge.
You are accessing the "EntitlementService" which is an admin service. Therefore you need to authenticate to access this service. Basically you need to send user/password in basic authentication header, In basic authentication, client normally sends the basic headers, when server gives an unauthorized responses. This is why, you would see above Illegal access attempt log in every time and after client sends the header, user would be authenticated. But you can avoid it by using Preemptive Authentication mode with basic authentication. If you are using a Httpclient library to send the request, you can enable it. Please refer this