Previous Topic: Configure an FCC Template for an Information Card Authentication SchemeNext Topic: Configure Logs


Track User Activities

This section contains the following topics:

Track User Activities or Application Usage with Auditing

Record the Transaction ID in Oracle iPlanet Web Server Logs

Record the Transaction ID in Apache Web Server Logs

Record the User Name and Transaction ID in IIS Server Logs

Track User Activities or Application Usage with Auditing

You can you can measure how often applications on your web site are used, or track user activities with auditing. Auditing is controlled with the following parameter:

EnableAuditing

Specifies whether the Web Agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the Web Agent uses information from its cache instead of contacting the Policy Server. Web Agents log user names and access information in native web server log files when users access resources.

Default: No

Both the Policy Server and Web Agent audit user activity. The Web Agent sends a message to the Accounting service each time a user is authorized from cache to access resources. This action ensures that the Accounting service is tracking successful authorizations for the Web Agent and the Policy Server. If the Web Agent cannot successfully send an audit message to the Accounting service for an authorization, access to the resource is denied. You can then run a SiteMinder activity report from the Administrative UI. The reports from the Policy Server show user activity for each SiteMinder session.

Note: For more information, see the Policy Server documentation.

To track user activity or application usage with auditing, set the value of the EnableAuditing parameter to yes.

Record the Transaction ID in Oracle iPlanet Web Server Logs

Valid on Solaris

The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:

You can track user activities for a given application using the transaction ID.

Note: For more information, see the Policy Server documentation.

The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1

If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.

Note: Web Agents log user names and access information in native web server log files when users access resources.

You can record the SiteMinder transaction ID in the Oracle iPlanet web server logs.

Follow these steps:

  1. Open the magnus.conf file.
  2. Add the following header variable to the existing list of HTTP server variables that you want to log when the web server initializes:
    %Req->headers.SM_TRANSACTIONID%"
    

    Note: Enter the header variable in uppercase unless the value of the LowerCaseHTTP parameter is set to yes in your Agent Configuration Object or local configuration file.

    The following example shows the SMTRANSACTIONID header variable in bold at the end of an existing entry. However, you can place it anywhere in the list of variables.

    Init fn="flex-init" access="D:/iPlanet/server4/https-orion/logs/access" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \" %Req->srvhdrs.clf-status% %Req-srvhdrs.content-length% %Req->headers.- SM_TRANSACTIONID%"
    
  3. Restart the Oracle iPlanet Server to apply the change.

    The transaction ID appears in the Oracle iPlanet web server logs. The following example shows a web server log entry with the transaction ID in bold:

    11.22.33.44 - user1 [21/Nov/2003:16:12:24 -0500] "GET /Anon/index.html HTTP/1.0" 200 748 3890b4b9-58f8-4a74df53-07f6-0002df88
    

More information:

Use Lower Case HTTP in Headers (for Oracle iPlanet, Apache, and Domino web servers)

Record the Transaction ID in Apache Web Server Logs

The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:

You can track user activities for a given application using the transaction ID.

Note: For more information, see the Policy Server documentation.

The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1

If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.

Note: Web Agents log user names and access information in native web server log files when users access resources.

You can record the SiteMinder transaction ID in the Apache web server logs SMTRANSACTIONID header variable.

Follow these steps:

  1. Open the httpd.conf file.
  2. Add the SM_TRANSACTIONID header variable to the LogFormat directive.

    For example:

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{SM_TRANSACTIONID}i\"" common
    

    Note: For more information about the httpd.conf file and the LogFormat directive, see your Apache web server documentation.

  3. Restart the server to apply the change.

    The transaction ID is recorded in the Apache web server logs.

Record the User Name and Transaction ID in IIS Server Logs

The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:

You can track user activities for a given application using the transaction ID.

Note: For more information, see the Policy Server documentation.

The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with STATE=MA):

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1

If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:

172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.

Note: Web Agents log user names and access information in native web server log files when users access resources.

Agents protecting resources on IIS servers do not record the SiteMinder transaction ID and authenticated user name in the IIS server logs by default. Because these agents can operate as ISAPI extensions (in Classic Pipeline mode), the server would have already logged a transaction. You can force the agent to add this information with the following parameters:

AppendIISServerLog

Instructs the agent to add the authenticated user name and SiteMinder transaction ID to the cs-uri-query field of the IIS server log. For URLs containing query strings, commas separate the query string, SiteMinder transaction ID, and username in the cs-uri-query field of the IIS server log.

Default: No

SetRemoteUser

Specifies a value for the REMOTE_USER HTTP header variable which legacy applications could possibly require.

Default: No

To record the transaction ID and user name in the IIS server log.

  1. Set the value of the AppendIISServerLog parameter to yes.
  2. Set the value of the SetRemoteUser parameter to yes.

    The user name and transaction ID appears in the IIS server logs.