Container Audit/Logger Audit Usage

I’m trying to get the Audit page in the GUI output to a file, but having a hard time finding the right configuration to get me that. I can only interpret a little bit of what the config file is doing so I may have bits in there that are completely unneccessary. Below is what I am currently working with, I’m getting output to the configured file but also getting stuff I don’t want and missing stuff I want. I’m looking to record client ip, endpoint accessed, username, and domain at the very least.

End game is to have this data ingested by Logstash (Using filebeat to grab the data from the file on the PI server).

[formatters]
keys=detail

[handlers]
keys=file

[formatter_detail]
class=privacyidea.lib.log.SecureFormatter
format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s

[handler_file]
# Rollover the logfile at midnight
class=logging.handlers.RotatingFileHandler
backupCount=7
maxBytes=50000000
formatter=detail
level=INFO
args=('/var/log/privacyidea/audit.log',)

[loggers]
keys=root,privacyidea

[logger_privacyidea]
handlers=file
qualname=privacyidea
level=INFO

[logger_root]
level=INFO
handlers=file

Understanding a little more and I think where I’m hung up is understanding two things:

  1. Formatters: What are available to use and what specifically do each of them do.
  2. Loggers: What are they in layman’s terms and how do I know what information they record?

I’ve pared my configuration down to below which gives me, what looks like, exactly what the audit log in the GUI provides. However, I don’t see authentication attempts. When attempting a test authenticate against RADIUS, I see the /radiusserver endpoint getting hit but it doesn’t tell me the token or username used in the authentication attempt. When I test authentication using the PrivacyIDEA-ADFS provider, I see zero entries appear in the log. At the moment, this lets me really just audit what people are doing in the WebGUI, which is great, but I’m hoping I can record authentication attempts and some details about those attempts (token/user/ip).

[formatters]
keys=detail

[formatter_detail]
class=privacyidea.lib.log.SecureFormatter
format=[%(asctime)s][%(process)d][%(thread)d][%(levelname)s][%(name)s:%(lineno)d] %(message)s

[handlers]
keys=file

[handler_file]
class=logging.handlers.RotatingFileHandler
backupCount=7
maxBytes=50000000
formatter=detail
level=INFO
args=('/var/log/privacyidea/audit.log',)

[loggers]
keys=root

[logger_root]
level=NOTSET
handlers=file