Merge branch '54528-add-rack-attack-to-structured-logs' into 'master'

Changes RackAttack logger to use structured logs Closes #54528 See merge request gitlab-org/gitlab-ce!28565

Merge branch '54528-add-rack-attack-to-structured-logs' into 'master'
Changes RackAttack logger to use structured logs Closes #54528 See merge request gitlab-org/gitlab-ce!28565
6f4a5762 · Stan Hu · d64e6cab · ed8ebc63 · 6f4a5762 · 6f4a5762
Commit 6f4a5762 authored May 24, 2019 by Stan Hu
6 changed files
--- a/config/database.yml.example
+++ b/config/database.yml.example
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
+# frozen_string_literal: true
+#
 # Adds logging for all Rack Attack blocks and throttling events.

 ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
  if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
-    Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}")
+    Gitlab::AuthLogger.error(
+      message: 'Rack_Attack',
+      env: req.env['rack.attack.match_type'],
+      ip: req.ip,
+      request_method: req.request_method,
+      fullpath: req.fullpath
+    )
  end
 end
--- a/doc/administration/logs.md
+++ b/doc/administration/logs.md
@@ -280,6 +280,14 @@ installations from source.
 Currently it logs the progress of project imports from the Bitbucket Server
 importer. Future importers may use this file.

+## `auth.log`
+
+Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for
+Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for
+installations from source.
+
+It logs information whenever [Rack Attack] registers an abusive request.
+
 ## Reconfigure Logs

 Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab
@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for
 installations from source.

 [repocheck]: repository_checks.md
+[Rack Attack]: ../security/rack_attack.md
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps:
 1. Find the IPs that have been blocked in the production log:

    ```sh
-    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
+    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
    ```

 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:

--- a/lib/gitlab/auth_logger.rb
+++ b/lib/gitlab/auth_logger.rb
+# frozen_string_literal: true
+
+module Gitlab
+  class AuthLogger < Gitlab::JsonLogger
+    def self.file_name_noext
+      'auth'
+    end
+  end
+end
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do
          end
        end
      end
+
+      it 'logs RackAttack info into structured logs' do
+        requests_per_period.times do
+          get url_that_does_not_require_authentication
+          expect(response).to have_http_status 200
+        end
+
+        expect(Gitlab::AuthLogger).to receive(:error).once
+
+        get url_that_does_not_require_authentication
+      end
    end

    context 'when the throttle is disabled' do
@@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do

        expect_rejection { get url_that_requires_authentication }
      end
+
+      it 'logs RackAttack info into structured logs' do
+        requests_per_period.times do
+          get url_that_requires_authentication
+          expect(response).to have_http_status 200
+        end
+
+        expect(Gitlab::AuthLogger).to receive(:error).once
+
+        get url_that_requires_authentication
+      end
    end

    context 'when the throttle is disabled' do