api: access: log to separate file, reduce syslog to errors

for now log auth errors also to the syslog, on a protected (LAN and/or firewalled) setup this should normally happen due to missconfiguration, not tries to break in. This reduces syslog noise *a lot*. A current full journal output from the current boot here has 72066 lines, of which 71444 (>99% !!) are "successful auth for user ..." messages Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2020-10-16 11:06:48 +02:00 · 2020-10-16 11:06:48 +02:00 · d39d095fa4
parent 86f3c2363c
commit d39d095fa4
1 changed files with 18 additions and 2 deletions
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
 use crate::tools::ticket::{self, Empty, Ticket};
 use crate::auth_helpers::*;
 use crate::api2::types::*;
+use crate::tools::{FileLogOptions, FileLogger};

 use crate::config::cached_user_info::CachedUserInfo;
 use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
@ -140,13 +141,20 @@ fn create_ticket(
    port: Option<u16>,
    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Value, Error> {
+    let logger_options = FileLogOptions {
+        append: true,
+        prefix_time: true,
+        ..Default::default()
+    };
+    let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
+
    match authenticate_user(&username, &password, path, privs, port) {
        Ok(true) => {
            let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;

            let token = assemble_csrf_prevention_token(csrf_secret(), &username);

-            log::info!("successful auth for user '{}'", username);
+            auth_log.log(format!("successful auth for user '{}'", username));

            Ok(json!({
                "username": username,
@ -163,7 +171,15 @@ fn create_ticket(
                None => "unknown".into(),
            };

-            log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
+            let msg = format!(
+                "authentication failure; rhost={} user={} msg={}",
+                client_ip,
+                username,
+                err.to_string()
+            );
+            auth_log.log(&msg);
+            log::error!("{}", msg);
+
            Err(http_err!(UNAUTHORIZED, "permission check failed."))
        }
    }