api: access: log to separate file, reduce syslog to errors
for now log auth errors also to the syslog, on a protected (LAN and/or firewalled) setup this should normally happen due to missconfiguration, not tries to break in. This reduces syslog noise *a lot*. A current full journal output from the current boot here has 72066 lines, of which 71444 (>99% !!) are "successful auth for user ..." messages Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
parent
86f3c2363c
commit
d39d095fa4
|
@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
|
||||||
use crate::tools::ticket::{self, Empty, Ticket};
|
use crate::tools::ticket::{self, Empty, Ticket};
|
||||||
use crate::auth_helpers::*;
|
use crate::auth_helpers::*;
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
|
use crate::tools::{FileLogOptions, FileLogger};
|
||||||
|
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
|
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
|
||||||
|
@ -140,13 +141,20 @@ fn create_ticket(
|
||||||
port: Option<u16>,
|
port: Option<u16>,
|
||||||
rpcenv: &mut dyn RpcEnvironment,
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<Value, Error> {
|
) -> Result<Value, Error> {
|
||||||
|
let logger_options = FileLogOptions {
|
||||||
|
append: true,
|
||||||
|
prefix_time: true,
|
||||||
|
..Default::default()
|
||||||
|
};
|
||||||
|
let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
|
||||||
|
|
||||||
match authenticate_user(&username, &password, path, privs, port) {
|
match authenticate_user(&username, &password, path, privs, port) {
|
||||||
Ok(true) => {
|
Ok(true) => {
|
||||||
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
|
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
|
||||||
|
|
||||||
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
|
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
|
||||||
|
|
||||||
log::info!("successful auth for user '{}'", username);
|
auth_log.log(format!("successful auth for user '{}'", username));
|
||||||
|
|
||||||
Ok(json!({
|
Ok(json!({
|
||||||
"username": username,
|
"username": username,
|
||||||
|
@ -163,7 +171,15 @@ fn create_ticket(
|
||||||
None => "unknown".into(),
|
None => "unknown".into(),
|
||||||
};
|
};
|
||||||
|
|
||||||
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
|
let msg = format!(
|
||||||
|
"authentication failure; rhost={} user={} msg={}",
|
||||||
|
client_ip,
|
||||||
|
username,
|
||||||
|
err.to_string()
|
||||||
|
);
|
||||||
|
auth_log.log(&msg);
|
||||||
|
log::error!("{}", msg);
|
||||||
|
|
||||||
Err(http_err!(UNAUTHORIZED, "permission check failed."))
|
Err(http_err!(UNAUTHORIZED, "permission check failed."))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue