diff options
| author | Mayra Cabrera <mcabrera@gitlab.com> | 2019-05-21 17:35:10 -0500 |
|---|---|---|
| committer | Mayra Cabrera <mcabrera@gitlab.com> | 2019-05-23 17:27:07 -0500 |
| commit | 6760911e0f51f7bbffe09b0e91ad81b04a431027 (patch) | |
| tree | 2615c477f7449d9571001a13a37d4898f058230b | |
| parent | 76c8d4fbedb57a3744d32cf52c0acee91eb751f5 (diff) | |
| download | gitlab-ce-54528-add-rack-attack-to-structured-logs.tar.gz | |
Changes RackAttack logger to use structured logs54528-add-rack-attack-to-structured-logs
Creates a new filename to register auth logs.
This change should allow SRE's queries to make better queries
through logging infrastructure.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54528
| -rw-r--r-- | config/database.yml.example | 0 | ||||
| -rw-r--r-- | config/initializers/rack_attack_logging.rb | 10 | ||||
| -rw-r--r-- | doc/administration/logs.md | 9 | ||||
| -rw-r--r-- | doc/security/rack_attack.md | 2 | ||||
| -rw-r--r-- | lib/gitlab/auth_logger.rb | 9 | ||||
| -rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 22 |
6 files changed, 50 insertions, 2 deletions
diff --git a/config/database.yml.example b/config/database.yml.example new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/config/database.yml.example diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb index 8bb9ea29c33..2a3fdc8de5f 100644 --- a/config/initializers/rack_attack_logging.rb +++ b/config/initializers/rack_attack_logging.rb @@ -1,7 +1,15 @@ +# frozen_string_literal: true +# # Adds logging for all Rack Attack blocks and throttling events. ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req| if [:throttle, :blacklist].include? req.env['rack.attack.match_type'] - Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}") + Gitlab::AuthLogger.error( + message: 'Rack_Attack', + env: req.env['rack.attack.match_type'], + ip: req.ip, + request_method: req.request_method, + fullpath: req.fullpath + ) end end diff --git a/doc/administration/logs.md b/doc/administration/logs.md index 3d40cda491a..a7e57e44e86 100644 --- a/doc/administration/logs.md +++ b/doc/administration/logs.md @@ -280,6 +280,14 @@ installations from source. Currently it logs the progress of project imports from the Bitbucket Server importer. Future importers may use this file. +## `auth.log` + +Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for +Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for +installations from source. + +It logs information whenever [Rack Attack] registers an abusive request. + ## Reconfigure Logs Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab @@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for installations from source. [repocheck]: repository_checks.md +[Rack Attack]: ../security/rack_attack.md diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index ad83dc05a93..66081d7e376 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps: 1. Find the IPs that have been blocked in the production log: ```sh - grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log + grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log ``` 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: diff --git a/lib/gitlab/auth_logger.rb b/lib/gitlab/auth_logger.rb new file mode 100644 index 00000000000..6d3edba02b0 --- /dev/null +++ b/lib/gitlab/auth_logger.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Gitlab + class AuthLogger < Gitlab::JsonLogger + def self.file_name_noext + 'auth' + end + end +end diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index a12646ea222..89adbc77a7f 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do end end end + + it 'logs RackAttack info into structured logs' do + requests_per_period.times do + get url_that_does_not_require_authentication + expect(response).to have_http_status 200 + end + + expect(Gitlab::AuthLogger).to receive(:error).once + + get url_that_does_not_require_authentication + end end context 'when the throttle is disabled' do @@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do expect_rejection { get url_that_requires_authentication } end + + it 'logs RackAttack info into structured logs' do + requests_per_period.times do + get url_that_requires_authentication + expect(response).to have_http_status 200 + end + + expect(Gitlab::AuthLogger).to receive(:error).once + + get url_that_requires_authentication + end end context 'when the throttle is disabled' do |