Logging CRX Login/Logout Activity on AEM 6.5 | Community
Skip to main content
tadreeves
tadreeves
Level 2
February 23, 2022

Logging CRX Login/Logout Activity on AEM 6.5

  • February 23, 2022
  • 2 replies
  • 2916 views

10 years into this and I should already know this but: 

What's the best way to enable logging on Author & Publish instances to capture all login/logout activity?  One of course can enable loggers for any custom authentication not done against AEM's internal auth mechanisms, but how reliably track login/logout and failed login attempts for CRX users - like the `admin` account or other internal AEM accounts?  These aren't logged by default to the error log, nor to the audit log.   

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

Bhuwan_B
Community Advisor
Bhuwan_BCommunity Advisor
Community Advisor
February 23, 2022

@tadreeves Please refer below Community URL that highlights two approach of achieving the use case:

  1. Sling Filter
  2. Using Analytics

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-log-monitor-user-activity-in-aem6/m-p/207402

    joerghoh
    Adobe Employee
    joerghohAdobe Employee
    Adobe Employee
    February 23, 2022

    Hi Tad,

     

    what do you mean with "CRX Users"? Every users which does have a valid JCR user? And what types of login?

     

    As today the standard login is using the TokenAuthentication you can check for the creation/removal of the ".token" node in the user's home. That should be pretty reliable, unless someone logs via basic auth.

      tadreeves
      tadreevesAuthor
      Level 2
      February 24, 2022

      Sorry, should have been more complete in my question. 

      I'm looking to log to disk any login attempt (whether success or failure) for a JCR user.  

      Currently, if someone, say attempts to log on as `admin` to an Author instance, you do see a message like this in the logs if they enter a bad password: 

      23.02.2022 15:58:08.822 *INFO* [qtp1961517139-70] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate null: UserId/Password mismatch.

      However, that doesn't tell you what user they attempted to log in with.  Also, if they then SUCCEED at logging in as `admin`, it won't give you a message that they logged in. In the access.log  you get the authenticated user that prints along with apache-combined log format, but it doesn't give you an entry that you can look for that is a unique "this user has just logged in" signal. 

      I didn't know if there was a class I could crank up logging on that would give me this sort of thing out of the box, or if (as others have suggested) I'll need to write a sling filter to do it.  

      For access auditing purposes, what I'm after is a log that I could log to disk and consume with Splunk that would give me the equivalent of a `last` and `lastb` in Linux, where you at least log every login event with what user logged in, and any bad login attempts with what user attempted it.  

        joerghoh
        Adobe Employee
        joerghohAdobe Employee
        Adobe Employee
        February 25, 2022

        Do you really want to have all that stuff in the AEM logs? Of course you can implement all of that and also log everything. But it's not ootb.

        If you want to implement a more thorough protection and detection against malicious attempts to login I would use a full-blown IDP, where this is more in focus.

          Terms & ConditionsAccessibility statement

          Loading footer...