api: access: log to separate file, reduce syslog to errors
for now log auth errors also to the syslog, on a protected (LAN and/or firewalled) setup this should normally happen due to missconfiguration, not tries to break in. This reduces syslog noise *a lot*. A current full journal output from the current boot here has 72066 lines, of which 71444 (>99% !!) are "successful auth for user ..." messages Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
parent
86f3c2363c
commit
d39d095fa4
@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
|
||||
use crate::tools::ticket::{self, Empty, Ticket};
|
||||
use crate::auth_helpers::*;
|
||||
use crate::api2::types::*;
|
||||
use crate::tools::{FileLogOptions, FileLogger};
|
||||
|
||||
use crate::config::cached_user_info::CachedUserInfo;
|
||||
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
|
||||
@ -140,13 +141,20 @@ fn create_ticket(
|
||||
port: Option<u16>,
|
||||
rpcenv: &mut dyn RpcEnvironment,
|
||||
) -> Result<Value, Error> {
|
||||
let logger_options = FileLogOptions {
|
||||
append: true,
|
||||
prefix_time: true,
|
||||
..Default::default()
|
||||
};
|
||||
let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
|
||||
|
||||
match authenticate_user(&username, &password, path, privs, port) {
|
||||
Ok(true) => {
|
||||
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
|
||||
|
||||
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
|
||||
|
||||
log::info!("successful auth for user '{}'", username);
|
||||
auth_log.log(format!("successful auth for user '{}'", username));
|
||||
|
||||
Ok(json!({
|
||||
"username": username,
|
||||
@ -163,7 +171,15 @@ fn create_ticket(
|
||||
None => "unknown".into(),
|
||||
};
|
||||
|
||||
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
|
||||
let msg = format!(
|
||||
"authentication failure; rhost={} user={} msg={}",
|
||||
client_ip,
|
||||
username,
|
||||
err.to_string()
|
||||
);
|
||||
auth_log.log(&msg);
|
||||
log::error!("{}", msg);
|
||||
|
||||
Err(http_err!(UNAUTHORIZED, "permission check failed."))
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user