Changes RackAttack logger to use structured logs

Creates a new filename to register auth logs.
This change should allow SRE's queries to make better queries
through logging infrastructure.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54528

2 files changed, 10 insertions, 1 deletions

diff --git a/doc/administration/logs.md b/doc/administration/logs.md
index 3d40cda491a..a7e57e44e86 100644
--- a/doc/administration/logs.md
+++ b/doc/administration/logs.md
@@ -280,6 +280,14 @@ installations from source.
 Currently it logs the progress of project imports from the Bitbucket Server
 importer. Future importers may use this file.
 
+## `auth.log`
+
+Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for
+Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for
+installations from source.
+
+It logs information whenever [Rack Attack] registers an abusive request.
+
 ## Reconfigure Logs
 
 Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab
@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for
 installations from source.
 
 [repocheck]: repository_checks.md
+[Rack Attack]: ../security/rack_attack.md
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
index ad83dc05a93..66081d7e376 100644
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps:
 1. Find the IPs that have been blocked in the production log:
 
     ```sh
-    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
+    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
     ```
 
 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: