Addressed with Crowd 6.2.0.

This issue is 8 years old and should be addressed by Atlassian. 

Audit events are required for an organization to be DFAR/NIST compliant: https://nvd.nist.gov/800-53/Rev4/control/AU-2

Regardless if a business does government work, or not, audit events like logging of invalid username/passwords should be built-in to the authentication application.

By forcing us to not be compliant with regulations, your putting your customers at risk. I"m hopeful Atlassian can come to a conclusion on this soon.

Is there any recent update on this? I am looking at Crowd as a possible identity management solution for work and this, to me, is a fairly key requirement. Many thanks

Having a centralized user management tool without access logs is like having a bank account without account transactions overview. Would you like to have such a bank account?

This kind of feature is an absolute must for corporates so I am surprised it has been open for 5 years already. I was checking that Tomcat's valve logging but seems like there is no way to get the user name visible there (even with Denise's suggestion) and if there is no user name it won't be sufficient in our environment. Please Atlassian hear the cry of corporate customers!

Please do this soon. It's a priority for us to get Audit logs.

Hi dknight, sorry but no we don't have upcoming plans to implement this in the short term.

any word on this being implemented as an actual thing?

http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/valves/ExtendedAccessLogValve.html suggests you can access the parameters in the POST in a log. You may be able to extract 'username' with something like: %

(FYI this is untested and not supported by Atlassian)

Hi Roy,

After configuring Valve in a crowd client , will the output show up in Crowd logs or crowd application/Client.