I recall having seen some discussion of CAS+Splunk in the past. We've been ingesting all CAS logs into Splunk for over a year now and it's generally awesome. We recently had a need to query for a list of services accessed by a single user, and that turns out to be spectacularly difficult due to the layout of the audit logs. The root problem is that the CAS audit log is a record-oriented log (timestamp, what, principal, action,...), but the TGT that could be used to correlate the service access events jumps around. In the case of an authentication, where the user principal is logged, it's in the "what" field. In the service ticket creation events, where you see the service name in the "what" field, it appears in the "principal" field. That precludes the use of the Splunk "transaction" command, which would make the query trivial.
Given the layout of CAS audit logs, has anyone accomplished this sort of query? I think join with field renaming may be promising, but I am afraid the performance may be so terrible it won't be feasible for any large time window. I don't know how popular Splunk is in the CAS community, but we might consider some changes to the audit log format to facilitate "follow this ticket" kind of queries. It could arguably have value beyond Splunk. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
