On BI: Spring Tomcat Impersonation audit

The amount of intelligence you can pull from logs is unlimited. In a typical log like the below we see a session but we have no idea who is editing the employee. Furthermore the employee might be edited under impersonation.

2015-11-07 22:15:05,845 INFO [com.sample.web.filter.LoggingFilter doFilter] - 172.16.2.41 AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 /employee/204187 192.168.0.43

We can easily see filtering by the sessionid if a user was impersonated and list both the real user and the impersonated user with the below awk script:

	#!/usr/bin/awk
	# spring-impersonation-audit.awk
	# author: Nestor Urquiza
	# date: 20151123
	# description: Lists users and impersonated users per request
	{
	if(!usernames[$8] && match($0,"login.*j_username")){
	usernames[$8]=gensub(/^.*j_username=([^& ]*)[& ].*$/,"\\1","g");
	}
	sessionids[$9]=$8;
	others[$9]=$1" "$2" "$7;
	if(match($0,"switchUser.*j_username")){
	impersonated[$8]=gensub(/^.*j_username=([^& ]*)[& ].*$/,"\\1","g");
	}
	if(match($0,"switchUserExit.*")){
	impersonated[$8]="na";
	}
	if(impersonated[$8]){
	impersonatedUserNames[$9]=impersonated[$8];
	} else {
	impersonatedUserNames[$9]="na";
	}
	}
	END {
	for(request in sessionids){
	sessionid=sessionids[request];
	if(usernames[sessionid]){
	print others[request]" "sessionid" "usernames[sessionid]" "impersonatedUserNames[request]" "request;
	}
	}
	}

view raw spring-impersonation-audit.awk hosted with ❤ by GitHub

We get now something like:

2015-11-07 22:15:05,845 192.168.0.43 AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 impersonator@sample.com impersonated@sample.com /employee/204187

Note that if you are logging all params as part of the URL regardless if it is POST or GET you could be saving a lot of time. If you are using JSON payload most likely things will get a little more complicated as you might want to extract specific fields from the payload but overall you could extract a lot of business intelligence from logs just using the veteran awk.