Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Paths and file names below assume a default installation location (/opt/shibboleth-idp) and unchanged logging/logback configuration. Though you might prefer to adjust your logging config and or make /opt/shibboleth-idp/logs a symbolic link to another file system/volume. You might also want to remove the "idp-" prefix from all the {process,warn,audit,consent-audit} log files since they'll likely end up in one IDP-specific logging directory anyway (and having all files start with the same letter isn't overly useful). But again, the examples below can't match local deployment decisions and so have been written to match a default IDP installation's behaviour. So adjust as needed.


Table of Contents
maxLevel5
minLevel3

Who and how am I?

Code Block
languagebash
titleWhat IDP version is currently installed
$ /opt/shibboleth-idp/bin/version.sh
3.4.6


Code Block
languagebash
titleWhat does the IDP think of its own state?
/opt/shibboleth-idp/bin/status.sh

Applying updates

See IDP 3 Updates for detailed instructions.

What's happening right now?

Code Block
languagebash
titleWatch IDP und Webserver logs
multitail -f /opt/shibboleth-idp/logs/idp-process.log /var/log/tomcat8/access.log


Code Block
languagebash
titleSearch for IDP Warnings and Errors
egrep 'WARN|ERROR' /opt/shibboleth-idp/logs/idp-process.log


Code Block
languagebash
titleTomcat STDOUT/STDERR (formerly catalina.out)
journalctl -u tomcat8.service -e -f


Code Block
languagebash
titleTrail all relevant logs at once
multitail -f /opt/shibboleth-idp/logs/idp-process.log /var/log/tomcat8/access.log -l 'journalctl -u tomcat8.service -f'

Who logged in and where, with what attributes sent?

Code Block
languagebash
titleAudit log
multitail -f /opt/shibboleth-idp/logs/idp-audit.log


Code Block
languagebash
titleAudit events for a given UserID
fgrep '|someuser99|' /opt/shibboleth-idp/logs/idp-audit.log


Code Block
languagebash
titleWhat attributes and NameIDs would be going out for person X to service Y?
/opt/shibboleth-idp/bin/aacli.sh --saml2 -n someuser99 -r https://test-sp.aco.net/shibboleth


Code Block
languagebash
titleFailed logins in Jan 2019
zgrep ' failed$' /opt/shibboleth-idp/logs/idp-process.log.201901*


Code Block
languagebash
titleSuccessful logins today
fgrep succeeded /opt/shibboleth-idp/logs/idp-process.log


Code Block
languagebash
titleHTTP User-Agent IP address in audit and access log
fgrep 192.168.1.99 /opt/shibboleth-idp/logs/idp-audit.log /var/log/tomcat8/access.log

Statistics

ACOnet has contributed a log analysis tool for parsing the Shibboleth IDP's audit logs. For the current day use  /opt/shibboleth-idp/logs/idp-audit.log.

Code Block
languagebash
titleBasic statistics for a given day
loganalysis.py -culn /opt/shibboleth-idp/logs/idp-audit.log.20190123.gz
2 unique relying parties
10 unique userids
25 logins
 
logins   | relyingPartyId
-------------------------
14       | https://sp.example.org/saml
11       | https://wiki.example.edu/shibboleth


Code Block
languagebash
titleCan be done for whole months or even years
loganalysis.py -cul /opt/shibboleth-idp/logs/idp-audit.log.201812*
21 unique relying parties
15 unique userids
406 logins

Debugging

Code Block
languagebash
titleLog SAML Messages on DEBUG
$EDITOR /opt/shibboleth-idp/conf/logback.xml  # Set <logger name="PROTOCOL_MESSAGE" level="DEBUG"/> and save
/opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.LoggingService

Make sure to undo this after you're done to avoid filling up file systems/volumes/disks with unnecessary DEBUG messages.

Locally managed Service Provider Metadata (non-eduID.at)

See our IDP 3 Metadata configuration documentation.