link text
The Shibboleth wiki page has information that will be useful in being able to parse the logs.
Fields are extracted at various points through the life of a transaction so that adequate detail can be exposed about the request, the processing of the request, and the response. These extraction points are associated with collections of field extraction beans that do the actual work to pull data out of the state of the transaction and store it for output.
Built-In Fields
The fields that are supported out of the box are as follows (note that not every field is always populated, it depends on the timing of errors and the specific transaction being audited):
Generic Fields
ST Timestamp for start of flow
T Timestamp event is recorded
e WebFlow Event
URL URL
URI URI
DEST Destination URL of outgoing msg
s IdP session ID
AF Authentication flow ID
SSO SSO flag
a Client address
UA User agent string
P Profile ID
u Username
HASHEDu Hashed username
uu Impersonating username
attr Attribute(s)
ROP Requested authentication operator
RPRIN Requested authentication principals
SAML Fields
SP Service provider name
IDP Identity provider name
p Protocol
b Inbound binding
bb Outbound binding
n NameID value
f NameID format
SPQ NameID SPNameQualifier
pf NameIDPolicy required format
PSPQ NameIDPolicy required SPNameQualifier
i Assertion ID
d Assertion timestamp
I Inbound message ID
D Inbound message timestamp
II InResponseTo
III Outbound message ID
DD Outbound message timestamp
t AuthenticationInstant
x SessionIndex
ac AuthenticationContext
S Status code
SS Sub-status code
SM Status message
pasv IsPassive
fauth ForceAuthn
XX Signed inbound messages
X Encrypted assertions
XA Encryption algorithm
... View more