From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH backup 3/3] api: access: log to separate file, reduce syslog to errors
Date: Fri, 16 Oct 2020 11:06:48 +0200 [thread overview]
Message-ID: <20201016090648.23887-3-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20201016090648.23887-1-t.lamprecht@proxmox.com>
for now log auth errors also to the syslog, on a protected (LAN
and/or firewalled) setup this should normally happen due to
missconfiguration, not tries to break in.
This reduces syslog noise *a lot*. A current full journal output from
the current boot here has 72066 lines, of which 71444 (>99% !!) are
"successful auth for user ..." messages
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
src/api2/access.rs | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index 19b128b1..c302e0c7 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
use crate::tools::ticket::{self, Empty, Ticket};
use crate::auth_helpers::*;
use crate::api2::types::*;
+use crate::tools::{FileLogOptions, FileLogger};
use crate::config::cached_user_info::CachedUserInfo;
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
@@ -140,13 +141,20 @@ fn create_ticket(
port: Option<u16>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {
+ let logger_options = FileLogOptions {
+ append: true,
+ prefix_time: true,
+ ..Default::default()
+ };
+ let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
+
match authenticate_user(&username, &password, path, privs, port) {
Ok(true) => {
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
- log::info!("successful auth for user '{}'", username);
+ auth_log.log(format!("successful auth for user '{}'", username));
Ok(json!({
"username": username,
@@ -163,7 +171,15 @@ fn create_ticket(
None => "unknown".into(),
};
- log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
+ let msg = format!(
+ "authentication failure; rhost={} user={} msg={}",
+ client_ip,
+ username,
+ err.to_string()
+ );
+ auth_log.log(&msg);
+ log::error!("{}", msg);
+
Err(http_err!(UNAUTHORIZED, "permission check failed."))
}
}
--
2.27.0
next prev parent reply other threads:[~2020-10-16 9:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 9:06 [pbs-devel] [PATCH backup 1/3] server/rest: implement request access log Thomas Lamprecht
2020-10-16 9:06 ` [pbs-devel] [PATCH backup 2/3] server/rest: also log user agent Thomas Lamprecht
2020-10-16 9:06 ` Thomas Lamprecht [this message]
2020-10-16 9:28 ` [pbs-devel] applied: [PATCH backup 1/3] server/rest: implement request access log Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201016090648.23887-3-t.lamprecht@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.