NCSA CyberSecurity

Projects and Software

Author: Kevin Price
Last Update: Nov 03, 2006

Introduction

By default, the Globus web services container logs only to the console and does not log DNs of successful authorizations. This document described how to enable logging to Syslog and logging of DNs.

Overview

All Globus logging goes through log4j, Apache's logging package. The behavior of logging for the container is controlled in the file $GLOBUS_LOCATION/container-log4j.properties.

Logging of DNs

Enabling logging of DNs is as simple as commenting out one line in the container-log4j.propreties file. In the default file, you will see the following:

# Comment out the line below if you want to log every authorization # decision the container makes. log4j.category.org.globus.wsrf.impl.security.authorization.ServiceAuthorizationChain=WARN

Simply comment out the indicated line and DNs will be logged for every authorization.

Enabling Authorization Debugging

To see a lot of information about what is going on in the Globus authorization system, you can enable debugging for that system. This can be accomplished by adding the following line to the container-log4j.propreties file.

# Comment out the line below if you want to enable debugging of the # authorization system. log4j.category.org.globus.wsrf.impl.security.authorization=DEBUG

Logging to Syslog

Logging to Syslog with log4j involves adding another appender to log4j and enabling network logging in syslogd. (Unfortunately, log4j does not currently support a mechanism for non-network logging using Syslog.)

Adding a Syslog appender

To add a Syslog appender, first edit the line:

log4j.rootCategory=ERROR, A1

So that it reads:

log4j.rootCategory=ERROR, A1, Syslog

Then add the following lines to the configuration file after the A1 appender configuration:

# Syslog is set to be a SyslogAppender. log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender # Syslog uses PatternLayout. log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout log4j.appender.Syslog.layout.ConversionPattern=%-5p %c{2} [%t,%M:%L] %m%n # Set Syslog properties. log4j.appender.Syslog.SyslogHost=localhost log4j.appender.Syslog.Facility=USER log4j.appender.Syslog.FacilityPrinting=true

Enabling network logging in syslogd

In order to enable network logging in syslogd, you must make certain it is invoked with the -r option. This option will tell syslogd to accept logging messages from the network.

Under most systems, this configuration can be found in /etc/sysconfig/syslog or in /etc/conf.d/syslog. The exact location may vary based on your system.

Firewalling the syslogd network port

As an added security measure, the syslogd network port can be firewalled to prevent people from logging remotely. Syslogd typically operates using port 514/udp. Exactly how to firewall this port depend on your machine.

Restarting the Container

Changes made to the log4j configuration do not take effect until the container is restarted. The restart procedure for your container may differ, but the standard restart procedure is:

cd $GLOBUS_LOCATION bin/globus-stop-container bin/globus-start-container
Building a trustworthy, national-scale cyberinfrastructure for researchers.
All rights reserved. ©2015 Board of Trustees of the University of Illinois.