Commit ed8ebc63 authored by Mayra Cabrera's avatar Mayra Cabrera Committed by Stan Hu

Changes RackAttack logger to use structured logs

Creates a new filename to register auth logs.
This change should allow SRE's queries to make better queries
through logging infrastructure.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54528
parent d64e6cab
# frozen_string_literal: true
#
# Adds logging for all Rack Attack blocks and throttling events. # Adds logging for all Rack Attack blocks and throttling events.
ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req| ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
if [:throttle, :blacklist].include? req.env['rack.attack.match_type'] if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}") Gitlab::AuthLogger.error(
message: 'Rack_Attack',
env: req.env['rack.attack.match_type'],
ip: req.ip,
request_method: req.request_method,
fullpath: req.fullpath
)
end end
end end
...@@ -280,6 +280,14 @@ installations from source. ...@@ -280,6 +280,14 @@ installations from source.
Currently it logs the progress of project imports from the Bitbucket Server Currently it logs the progress of project imports from the Bitbucket Server
importer. Future importers may use this file. importer. Future importers may use this file.
## `auth.log`
Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for
Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for
installations from source.
It logs information whenever [Rack Attack] registers an abusive request.
## Reconfigure Logs ## Reconfigure Logs
Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab
...@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for ...@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for
installations from source. installations from source.
[repocheck]: repository_checks.md [repocheck]: repository_checks.md
[Rack Attack]: ../security/rack_attack.md
...@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps: ...@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps:
1. Find the IPs that have been blocked in the production log: 1. Find the IPs that have been blocked in the production log:
```sh ```sh
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
``` ```
1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
......
# frozen_string_literal: true
module Gitlab
class AuthLogger < Gitlab::JsonLogger
def self.file_name_noext
'auth'
end
end
end
...@@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do ...@@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do
end end
end end
end end
it 'logs RackAttack info into structured logs' do
requests_per_period.times do
get url_that_does_not_require_authentication
expect(response).to have_http_status 200
end
expect(Gitlab::AuthLogger).to receive(:error).once
get url_that_does_not_require_authentication
end
end end
context 'when the throttle is disabled' do context 'when the throttle is disabled' do
...@@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do ...@@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do
expect_rejection { get url_that_requires_authentication } expect_rejection { get url_that_requires_authentication }
end end
it 'logs RackAttack info into structured logs' do
requests_per_period.times do
get url_that_requires_authentication
expect(response).to have_http_status 200
end
expect(Gitlab::AuthLogger).to receive(:error).once
get url_that_requires_authentication
end
end end
context 'when the throttle is disabled' do context 'when the throttle is disabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment