syslog format changed after upgrade to 12.8

book

Article ID: 195330

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server on Linux, this one sends log to syslog
service in that format :

  Siteminder: AuthAccept ps.training.com [08/Jul/2020:12:48:14 +0200]
  "192.168.1.111 uid=jsmith,dc=training,dc=com" "mywa.mydomain-abc.com
  GET /home/index.html" [idletime=3600;maxtime=7200;authlevel=5;] [0]
  [] []

This happens since we've upgraded Policy Server 12.52SP1 to 12.8. In
Policy Server 12.52SP1, the logs had that format instead :

  Siteminder: [Auth][AuthAccept][][ps.training.com][06/Jul/2020:10:02:59
  +0200][mywa.mydomain-abc.com][rt2ps3q0JaPbymGud7aW71baNUk=][uid=jsmith,dc=training,dc=com]
  [03-000b92e6-11e7-1ef2-9582-0165c0a80000][home][06-000eb2a9-1201-1ef2-9582-0165c0a80000]
  [192.168.1.111][/home/index.html?SMSESSION=data_supressed][GET][jsmith][192.168.1.101:389]
  [LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][home][][][][][][][][][][06/Jul/2020:10:03:02 +0200]
  [06/Jul/2020:10:03:02 +0200][06/Jul/2020:10:03:02 +0200][06/Jul/2020:10:03:02 +0200]
  [][][][][][BASIC][0][][]

We'd like to know how to get the same log format in Policy Server
12.8. How can we do it ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

At first glance, the format of the smaccess log is driven by a Policy
Server registry key. According to the documentation :

  Enhanced Auditing

    Enable Enhance Tracing

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/administrating/enhanced-auditing.html

With value of 0, you'll get that log line :

  AuthAccept ps.training.com [08/Jul/2020:12:48:14 +0200]
  "192.168.1.111 uid=jsmith,dc=training,dc=com" "mywa.mydomain-abc.com
  GET /home/index.html" [idletime=3600;maxtime=7200;authlevel=5;] [0]
  [] []

With value of 4, you'll get that log line :

  [Auth][AuthAccept][][ps.training.com][06/Jul/2020:10:02:59
  +0200][mywa.mydomain-abc.com][rt2ps3q0JaPbymGud7aW71baNUk=][uid=jsmith,dc=training,dc=com]
  [03-000b92e6-11e7-1ef2-9582-0165c0a80000][home][06-000eb2a9-1201-1ef2-9582-0165c0a80000]
  [192.168.1.111][/home/index.html?SMSESSION=data_supressed][GET][jsmith][192.168.1.101:389]
  [LDAP:][idletime=3600;maxtime=7200;authlevel=5;][][home][][][][][][][][][][06/Jul/2020:10:03:02
  +0200] [06/Jul/2020:10:03:02 +0200][06/Jul/2020:10:03:02
  +0200][06/Jul/2020:10:03:02 +0200] [][][][][][BASIC][0][][]