Logs

IdStory AM (CAS) produces texutal logs. Those logs are located under /data/logs/cas/ directory or can be forwarded off-machine.

This document explains some of logged messages.

If you want to set up the log forwarding, please see this howto.

Audit logs meaning

Audit logs are logged into the same file as the general application log. To distinguish them, it is possible to look for Slf4jLoggingAuditTrailManager as the name of the Java class that produced particular line.

Key information is written in who, result, action, service and clientIpAddress fields.

To better understand what happens in logs, we provide simplified overview of what happens in the CAS when user accesses it. Suppose the scenario where user was forwarded to CAS by another application to log themselves in. CAS verifies the user’s credentials, creates tokens, and forwards user back to the application they originally came from.

  1. User accesses SomeService on the URL https://someservice.tld. They are not logged in, so the SomeService redirects them to CAS https://iam.appliance.tld/cas in order to log in.

  2. User accesses https://iam.appliance.tld/cas/login?service=https://someservice.tld.

  3. CAS' policy engine decides whether the service https://someservice.tld matches any of the services that it knows about (from service files located in /data/volumes-shared/cas-services/).

    • If the service is not registered with CAS, audit message is emitted to log and the user is presented with informational page.

        Nov 14 14:05:57 iam.appliance.tld cas[928]: 2025-11-14 14:05:57,633 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"audit:unknown","what":"{\"result\":\"Service Access Denied\",\"service\":\"https://someservice.tld\"}","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Fri Nov 14 14:05:57 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  4. CAS checks if the user is logged in. (User is not logged in.) Policy engine fires up and decides that even an unauthenticated user can view some pages (i.e. the login page).

    • In case there is some action needed, the audit message contains the SERVICE_ACCESS_ENFORCEMENT_TRIGGERED as the taken action.

      Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,756 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"audit:unknown","what":"{\"result\":\"Service Access Granted\",\"service\":\"https://someservice.tld\",\"requiredAttributes\":{}}","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  5. CAS lets user through to login page.

  6. User fills in their login (e.g. user1) and password and submits the form.

    • CAS validates user credentials. In case they are incorrect, the user user1 shall not be logged in. The who field contains the login name user tried to authenticate with.

      Nov 14 14:04:13 iam.appliance.tld cas[928]: 2025-11-14 14:04:13,966 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"[{\"username\":\"user1\",\"source\":null,\"customFields\":{},\"id\":\"user1\"}]","action":"AUTHENTICATION_FAILED","application":"CAS","when":"Fri Nov 14 14:04:13 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  7. CAS validates user credentials. They are correct. User user1 is successfully logged in.

    • The who field contains the login name user authenticated with.

      Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,821 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"[{\"username\":\"user1\",\"source\":null,\"customFields\":{},\"id\":\"user1\"}]","action":"AUTHENTICATION_SUCCESS","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  8. CAS creates the master session cookie (Ticket-Granting Cookie, TGC).

    • The who field contains the login name user authenticated with.

    • The id contains partially-masked value of TGC so the user session is identifiable further in the log.

    • This log message contains all user’s attributes that were resolved at authentication time.

      Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,836 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"@class\":\"org.apereo.cas.ticket.TicketGrantingTicketImpl\",\"@id\":1,\"id\":\"TGT-5-*****M-bW4lGpKU-cas\",\"proxiedBy\":null,\"ticketGrantingTicket\":null,\"authentication\":{\"@class\":\"org.apereo.cas.authentication.DefaultAuthentication\",\"authenticationDate\":1763124396.831596000,\"principal\":{\"@class\":\"org.apereo.cas.authentication.principal.SimplePrincipal\",\"id\":\"user1\",\"attributes\":{ ... shortened for brevity ... }},\"warnings\":[]}},\"failures\":{}},\"expirationPolicy\":{\"@class\":\"org.apereo.cas.ticket.expiration.TimeoutExpirationPolicy\",\"timeToIdle\":28800,\"name\":\"TimeoutExpirationPolicy-54167e15-53e8-4b1f-9cf8-472b18ff34bc\"},\"lastTimeUsed\":1763124396.833607000,\"previousTimeUsed\":null,\"creationTime\":1763124396.833607000,\"countOfUses\":0,\"expired\":false,\"services\":{},\"proxyGrantingTickets\":{},\"descendantTickets\":[],\"prefix\":\"TGT\"}","action":"TICKET_GRANTING_TICKET_CREATED","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  9. Policy engine fires up again.

    Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,823 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"result\":\"Service Access Granted\",\"principal\":{\"id\":\"user1\",\"attributes\":{ ... shortened for brevity ...}},\"service\":\"https://someservice.tld\",\"requiredAttributes\":{}}","action":"SERVICE_ACCESS_ENFORCEMENT_TRIGGERED","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  10. It decides whether the authenticated user user1 can access service https://someservice.tld.

    • If the user cannot access the service, result is logged and user is presented with informational page.

  11. If the user can access the service, CAS creates service ticket (ST) and redirects user back to the SomeService.

    Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,844 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"service\":\"https://someservice.tld\",\"return\":\"ST-4-Sl5JYcza9WvuODU6nfqbHCJThKQ-cas\"}","action":"SERVICE_TICKET_CREATED","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>

  12. User accesses the SomeService with request URL similar to https://someservice.tld?ticket=ST-123…​456.

  13. SomeService performs backend call to CAS to validate the ST.

  14. When the validation request reaches the CAS, it first performs protocol-level validation.

    Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,878 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"principal\":\"user1\",\"service\":\"https://someservice.tld\",\"renew\":\"false\",\"gateway\":\"false\"}","action":"PROTOCOL_SPECIFICATION_VALIDATE_SUCCESS","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"172.17.0.1","serverIpAddress":"172.17.0.6"}>

  15. CAS validates the ST.

    • In case of invalid ST, CAS emits the message to its log and returns validation failure message to the caller.

      Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,876 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"ticket\":\"ST-4-Sl5JYcza9WvuODU6nfqbHCJThKQ-cas\",\"service\":\"https://someservice.tld\"}","action":"SERVICE_TICKET_VALIDATE_FAILED","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"172.17.0.1","serverIpAddress":"172.17.0.6"}>

  16. In case of valid ST, CAS emits the message to its log and responds to the caller, providing user profile attributes.

    Nov 14 13:46:36 iam.appliance.tld cas[928]: 2025-11-14 13:46:36,876 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"{\"ticket\":\"ST-4-Sl5JYcza9WvuODU6nfqbHCJThKQ-cas\",\"service\":\"https://someservice.tld\"}","action":"SERVICE_TICKET_VALIDATE_SUCCESS","application":"CAS","when":"Fri Nov 14 13:46:36 CET 2025","clientIpAddress":"172.17.0.1","serverIpAddress":"172.17.0.6"}>

  17. …​ user is working in the SomeService application …​

  18. User wants to log out, they use the logout button provided by SomeService. It redirects the user to URL similar to https://iam.appliance.tld/cas/logout?service=https://someservice.tld.

  19. CAS destroys user’s session and its corresponding TGC and then redirects user back to https://someservice.tld.

    Nov 14 14:06:41 iam.appliance.tld cas[928]: 2025-11-14 14:06:41,327 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <{"who":"user1","what":"\"TGT-6-*****DidyI7mJF8-cas\"","action":"TICKET_DESTROYED","application":"CAS","when":"Fri Nov 14 14:06:41 CET 2025","clientIpAddress":"10.0.1.76","serverIpAddress":"172.17.0.6"}>