api: access: log to separate file, reduce syslog to errors

for now log auth errors also to the syslog, on a protected (LAN
and/or firewalled) setup this should normally happen due to
missconfiguration, not tries to break in.

This reduces syslog noise *a lot*. A current full journal output from
the current boot here has 72066 lines, of which 71444 (>99% !!) are
"successful auth for user ..." messages

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2020-10-16 11:06:48 +02:00 committed by Dietmar Maurer
parent 86f3c2363c
commit d39d095fa4
1 changed files with 18 additions and 2 deletions

View File

@ -10,6 +10,7 @@ use proxmox::{http_err, list_subdirs_api_method};
use crate::tools::ticket::{self, Empty, Ticket}; use crate::tools::ticket::{self, Empty, Ticket};
use crate::auth_helpers::*; use crate::auth_helpers::*;
use crate::api2::types::*; use crate::api2::types::*;
use crate::tools::{FileLogOptions, FileLogger};
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY}; use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
@ -140,13 +141,20 @@ fn create_ticket(
port: Option<u16>, port: Option<u16>,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
let logger_options = FileLogOptions {
append: true,
prefix_time: true,
..Default::default()
};
let mut auth_log = FileLogger::new("/var/log/proxmox-backup/api/auth.log", logger_options)?;
match authenticate_user(&username, &password, path, privs, port) { match authenticate_user(&username, &password, path, privs, port) {
Ok(true) => { Ok(true) => {
let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?; let ticket = Ticket::new("PBS", &username)?.sign(private_auth_key(), None)?;
let token = assemble_csrf_prevention_token(csrf_secret(), &username); let token = assemble_csrf_prevention_token(csrf_secret(), &username);
log::info!("successful auth for user '{}'", username); auth_log.log(format!("successful auth for user '{}'", username));
Ok(json!({ Ok(json!({
"username": username, "username": username,
@ -163,7 +171,15 @@ fn create_ticket(
None => "unknown".into(), None => "unknown".into(),
}; };
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string()); let msg = format!(
"authentication failure; rhost={} user={} msg={}",
client_ip,
username,
err.to_string()
);
auth_log.log(&msg);
log::error!("{}", msg);
Err(http_err!(UNAUTHORIZED, "permission check failed.")) Err(http_err!(UNAUTHORIZED, "permission check failed."))
} }
} }