Chapter 11: Track User Activities
This section contains the following topics:
Track User Activities or Application Usage with Auditing (see page 157) Transaction IDs (see page 158)
Record the Transaction ID in Sun Java System Web Server Logs (see page 159) Record the Transaction ID in Apache Web Server Logs (see page 160)
Record the User Name and Transaction ID in IIS 6.0 Server Logs (see page 160)
Track User Activities or Application Usage with Auditing
You can you can measure how often applications on your web site are used, or track user activities with auditing. Auditing is controlled with the following parameter:
EnableAuditing
Specifies whether the Web Agent logs all successful authorizations that are stored in the user session cache. When enabled, user authorizations are logged even when the Web Agent uses information from its cache instead of contacting the Policy Server. Web Agents log user names and access information in native web server log files when users access resources.
Default: No
Both the Policy Server and Web Agent audit user activity. The Web Agent sends a message to the Accounting service each time a user is authorized from cache to access resources. This action ensures that the Accounting service is tracking successful authorizations for the Web Agent and the Policy Server. If the Web Agent cannot successfully send an audit message to the Accounting service for an authorization, access to the resource is denied. You can then run a SiteMinder activity report from the Administrative UI. The reports from the Policy Server show user activity for each SiteMinder session.
Note: For more information, see the Policy Server documentation.
To track user activity or application usage with auditing, set the value of the EnableAuditing parameter to yes.
158 Web Agent Configuration Guide
Transaction IDs
The Web Agent generates a unique transaction ID for each successful user authorization request. The Agent adds the ID to the HTTP header. The ID is also recorded in the following logs:
■ Audit log
■ Web server log (if the server is configured to log query strings)
■ Policy Server log
You can track user activities for a given application using the transaction ID.
Note: For more information, see the Policy Server documentation.
The transaction ID appears in the log as a mock query parameter in the log that is appended to the end of an existing query string. The following example shows transaction ID (in bold) appended to a query string (which ends with
STATE=MA):
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realm/index.html, STATE=MA&SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1 If no query parameters are in the URL, the Agent adds the transaction ID at the end of the web server log entry. For example:
172.24.12.1, user1, 2/11/00, 15:30:10, W3SVC, MYSERVER, 192.168.100.100, 26844, 47, 101, 400, 123, GET, /realma/index.html, SMTRANSACTIONID=0c01a8c0-01f0-38a47152-01ad-02714ae1.
Note: Web Agents log user names and access information in native web server log files when users access resources.
Chapter 11: Track User Activities 159
Record the Transaction ID in Sun Java System Web Server Logs
Valid on Solaris
You can record the SiteMinder transaction ID in the Sun Java System web server logs.
To record the SiteMinder transaction ID in the Sun Java System web server logs
1. Open the magnus.conf file.
2. Add the the following header variable to the existing list of HTTP server variables that you want to log when the web server initializes:
%Req->headers.SM_TRANSACTIONID%"
Note: You must enter the header variable in uppercase unless the value of the LowerCaseHTTP parameter is set to yes in your Agent Configuration Object or local configuration file.
The following example shows the SMTRANSACTIONID header variable in bold at the end of an existing entry. However, you can place it anywhere in the list of variables.
Init fn="flex-init" access="D:/iPlanet/server4/https-orion/logs/access" format.access="%Ses->client.ip% -
%Req->vars.auth-user% [%SYSDATE%] \" %Req->srvhdrs.clf-status% %Req-srvhdrs.content-length%
%Req->headers.- SM_TRANSACTIONID%"
3. Restart the Sun Java System Server to apply the change.
The transaction ID appears in the Sun Java System web server logs. The following example shows a web server log entry with the transaction ID in bold:
11.22.33.44 - user1 [21/Nov/2003:16:12:24 -0500] "GET /Anon/index.html HTTP/1.0" 200 748 3890b4b9-58f8-4a74df53-07f6-0002df88
More information:
Use Lower Case HTTP in Headers (for Sun Java System, Apache, Domino) (see page 134)
160 Web Agent Configuration Guide
Record the Transaction ID in Apache Web Server Logs
You can record the SiteMinder transaction ID in the Apache web server logs SMTRANSACTIONID header variable.
To record the SiteMinder transaction ID in the Apache web server logs 1. Open the httpd.conf file.
2. Add the SM_TRANSACTIONID header variable to the LogFormat directive.
For example:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{SM_TRANSACTIONID}i\"" common
Note: For more information about the httpd.conf file and the LogFormat directive, see your Apache web server documentation.
3. Restart the server to apply the change.
The transaction ID will be recorded in the Apache web server logs.
Record the User Name and Transaction ID in IIS 6.0 Server Logs
Web Agents protecting resources on IIS 6.0 servers do not record the SiteMinder transaction ID and authenticated user name in the IIS server logs by default.
Because these Web Agents function as ISAPI extensions, the server would have have already logged a transaction. You can force the Web Agent to add this information with the following parameters:
AppendIISServerLog
Instructs the Web Agent to add the authenticated user name and SiteMinder transaction ID to the IIS server log on a separate line.
Default: No SetRemoteUser
Specifies a value for the REMOTE_USER variable that some legacy applications may require.
Default: No
To record the transaction ID and user name in the IIS server log 1. Set the value of the AppendIISServerLog parameter to yes.
2. Set the value of the SetRemoteUser parameter to yes.
The IIS server logs will contain the user name and transaction ID.