Login and logout and fail log?

It is surprising to me that openfire does not keep logs of when user logged in and logged out? (or wrong password)

I am sorry if I missed it in logs or somewhere but I searched at many places and could not find it anywhere.

I suppose this should be a must for auditing and security. Atleast there should be a note in info.log, one when user logs in and second when he logs out. Helps in identifying brute force as well.

So please let me know if its already there.

Otherwise if someone can tell me right file location I am willing to write small code which will log these to info.log


info.log will log unsuccessful authentication attempts.

info.log.1:2013.03.01 10:54:05 org.jivesoftware.openfire.net.SASLAuthentication - User Login Failed. PLAIN authentication failed for:

Yes, so why cant it also log successful logins?

That way we have records and then we can run many types of stats on it.

Like what time is the load max on server, how many users login everyday. Which user logs in very often.


You can use the onlineusers plugin to get a list of people logged in at any particular point in time. I’m sure you could extend the logging to make it log when someone logs in/out.

Umm… my point here is that logging is crucial from security point of view. It should be inbuilt and not dependent on plugin.

This is such a great software and very user friendly. I wonder how the developers never thought this to be important?

But anyway, let me try to see the code. I am not java expert but will try. I suppose it should be one single file which handles all that, so, mostly one print statement is all it needs.

Thanks for ur replies.

1 Like

This is a late answer, but http://community.igniterealtime.org/thread/37077 deals with a similar problem, complete with suggestion to get a better logging of at least failed logins. But I agree that logging of succesful logins should be done, too.

Perhaps it’s even possible to use http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/ org/jivesoftware/admin/LoginLimitManager.html which only protects the admin interface for user logins as well, but I don’t know enough about the code yet.

Great, thanks for the tip.

Here is the code I added src/java/org/jivesoftware/openfire/session/SessionManager.java, in two functions as follows:

public void addSession(LocalClientSession session);

public void addSession(LocalClientSession session) {

String hostAddress;

try {

hostAddress = session.getHostAddress();

} catch (UnknownHostException e) {

hostAddress = “Unknown”;


JID fullJID = session.getAddress();

Log.info(“User Login=” + fullJID.getNode() + “, IP=” + hostAddress + “, Resource=” + fullJID.getResource());

public boolean removeSession(ClientSession session, JID fullJID, boolean anonymous, boolean forceUnavailable);

Modified if part of code in the same way:

if (removed) {

// Fire session event.

if (anonymous) {


.dispatchEvent(session, SessionEventDispatcher.EventType.anonymous_session_destroyed);


else {

String hostAddress;

try {

hostAddress = session.getHostAddress();

} catch (UnknownHostException e) {

hostAddress = “Unknown”;


Log.info(“User Logout=” + fullJID.getNode() + “, IP=” + hostAddress + “, Resource=” + fullJID.getResource());

SessionEventDispatcher.dispatchEvent(session, SessionEventDispatcher.EventType.session_destroyed);



This will log successful login and logout in info.log.