From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH backup 3/3] api: access: log to separate file, reduce syslog to errors
Date: Fri, 16 Oct 2020 11:06:48 +0200 [thread overview]
Message-ID: <20201016090648.23887-3-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20201016090648.23887-1-t.lamprecht@proxmox.com>
for now log auth errors also to the syslog, on a protected (LAN
and/or firewalled) setup this should normally happen due to
missconfiguration, not tries to break in.
This reduces syslog noise *a lot*. A current full journal output from
the current boot here has 72066 lines, of which 71444 (>99% !!) are
"successful auth for user ..." messages
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
src/api2/access.rs | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index 19b128b1..c302e0c7 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
use crate::tools::ticket::{self, Empty, Ticket};
use crate::auth_helpers::*;
use crate::api2::types::*;
+use crate::tools::{FileLogOptions, FileLogger};
use crate::config::cached_user_info::CachedUserInfo;
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
@@ -140,13 +141,20 @@ fn create_ticket(
port: Option<u16>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {
+ let logger_options = FileLogOptions {
+ append: true,
+ prefix_time: true,
+ ..Default::default()
+ };
+ let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
+
match authenticate_user(&username, &password, path, privs, port) {
Ok(true) => {
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
- log::info!("successful auth for user '{}'", username);
+ auth_log.log(format!("successful auth for user '{}'", username));
Ok(json!({
"username": username,
@@ -163,7 +171,15 @@ fn create_ticket(
None => "unknown".into(),
};
- log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
+ let msg = format!(
+ "authentication failure; rhost={} user={} msg={}",
+ client_ip,
+ username,
+ err.to_string()
+ );
+ auth_log.log(&msg);
+ log::error!("{}", msg);
+
Err(http_err!(UNAUTHORIZED, "permission check failed."))
}
}
--
2.27.0
next prev parent reply other threads:[~2020-10-16 9:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 9:06 [pbs-devel] [PATCH backup 1/3] server/rest: implement request access log Thomas Lamprecht
2020-10-16 9:06 ` [pbs-devel] [PATCH backup 2/3] server/rest: also log user agent Thomas Lamprecht
2020-10-16 9:06 ` Thomas Lamprecht [this message]
2020-10-16 9:28 ` [pbs-devel] applied: [PATCH backup 1/3] server/rest: implement request access log Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201016090648.23887-3-t.lamprecht@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox