A logging we shall go

Today I have 2 quick tips for logging, one for Oracle WebGates with OAM and another for Convergence in Glassfish with OAM SSO.

 

If you use Oracle Access Manager and perhaps their Oracle Web Tier (webgate, etc) you may have found that the webgates (Oracle HTTP Server, aka Apache) don’t log usernames in the access logs if you are using SSO with OAM. This sort of sucks if you want to pull the webgate access logs in to a cool log program like Splunk. Well a quick way to fix this is make sure that you have the mod_log_config module loaded in your httpd.conf for the OHS server. Next either modify the common or combined CustomLog definition or create a new one where you replace the %u with a %{OAM_REMOTE_USER}i  (Or what ever you named your OAM User header variable.) What this will do is now log the OAM_REMOTE_USER header variable in the place of the %u (which is for http auth style usernames). The one caveat is it will only log that value if it exists. If it doesn’t exist it doesn’t get logged. So you may miss a couple of pages until the header is created, but everything after that should be logged.

 

The second tip is closely related to the first and is assuming that you are using a custom SSO module to single sign on a user in to the Convergence web mail application. When this happens, like the webgates, you won’t get a username field in the access logs (if you even have them enabled, as they aren’t by default.) To log the OAM_REMOTE_USER in Glassfish, go to the server and where the access logging is defined, add a %header.OAM_REMOTE_USER% in to the logging definition. It takes affect immediately and you don’t have to restart Glassfish.

 

I looked all over the interwebs for this, so hope this helps you out.