IdentityServer3 Logging & Monitoring using Serilog and Seq

IdentityServer has two fundamental “monitoring” facilities : development-time logging and production-time eventing. The original docs are here.

Logging is for developers – in fact – when I start a new IdentityServer3 project, that’s the first thing I configure. For security reasons (and to be spec compliant) the error messages in IdentityServer are pretty vague – logging gives you a detailed inside view of what’s really going on.

We use the fabulous LibLog library for logging, which means we support logging frameworks like SeriLog, NLog, Log4Net and others out of the box. If you want to directly connect to a custom logging framework – we have a sample for that as well.

Depending on how much logging sources you enable, the logs will contain sensitive data like passwords, claims and tokens. This is where eventing comes in.

Events are more suitable for production scenarios where you want more high level – but also queryable – data. This includes typical events like login failed/success, errors etc… to connect IdentityServer to an event processing system (ELK being the most popular), you would implement the IEventService interface.

For this post I want to show you how to connect IdentityServer to Serilog for logging and a local Seq instance for querying and parsing events.

Logging
That’s super easy – first get Serilog from Nuget

install-package Serilog

If you are using an IIS hosted IdentityServer, you probably want to log to a text file using System.Diagnostics (here’s a nice tail tool to view those logs in real time). In that case, add the following Serilog setup to your Startup:

Log.Logger = new LoggerConfiguration()
    .MinimumLevel.Debug()
    .WriteTo.Trace()
    .CreateLogger();

..and add the following snippet to your web.config:

<system.diagnostics>
  <trace autoflush="true" indentsize="4">
    <listeners>
      <add name="myListener" 
            type="System.Diagnostics.TextWriterTraceListener" 
            initializeData="Trace.log" />
    </listeners>
  </trace>
</system.diagnostics>  

That’s it. LibLog will detect that Serilog has been configured in the host and will start piping all IdentityServer logging to it.

If you prefer self-hosts for IdentityServer (I do for dev time) – there’s a nice console log formatter:

install-package Serilog.Sinks.Literate

In that case add the following Serilog setup to your host:

Log.Logger = new LoggerConfiguration()
    .WriteTo
    .LiterateConsole(outputTemplate: "{Timestamp:HH:MM} [{Level}] ({Name:l}){NewLine} {Message}{NewLine}{Exception}")
    .CreateLogger();

This gives you nicely formatted console output

SerilogConsole

Eventing
Seq is free for single user, easy to use and easy to setup. To connect IdentityServer to Seq, I wrote the following event service:

class SeqEventService : IEventService
{
    static readonly ILogger Log;
 
    static SeqEventService()
    {
        Log = new LoggerConfiguration()
            .WriteTo.Seq("http://localhost:5341")
            .CreateLogger();
    }
 
    public Task RaiseAsync<T>(Event<T> evt)
    {
        Log.Information("{Id}: {Name} / {Category} ({EventType}), Context: {@context}, Details: {@details}",
            evt.Id,
            evt.Name,
            evt.Category,
            evt.EventType,
            evt.Context,
            evt.Details);
 
        return Task.FromResult(0);
    }
}

..and registered it like this:

factory.EventService = new Registration<IEventServiceSeqEventService>();

Using the Seq console, you can now query the events – e.g. for failed logons, IP addresses etc..

Seq

Nice! HTH.

(full source code can be found here)

This entry was posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI. Bookmark the permalink.

8 Responses to IdentityServer3 Logging & Monitoring using Serilog and Seq

  1. For future there will be a WebHooks implementation?

  2. Hi! I’m just taking my first steps after some Pluralsight courses, and I must say, what a awesome project you have here :). Thank you for that.

  3. There’s one missing piece of information: Seems like no events are delivered to IEventService until you configure EventsOptions, which has all flags set to false by default.

  4. Jeremy Capello says:

    Minor Update: Serilog’s WriteTo.Trace() extension method is in a different package: Install-Package Serilog.Sinks.Trace

  5. pregunton says:

    LibLog+Serilog+Splunk? ElasticSearch,Kibana and Serilog?

    Splunk or Seq is free ?

    full source code sample real app using good patterns&practices?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s