Commit 6f4a5762 authored by Stan Hu's avatar Stan Hu

Merge branch '54528-add-rack-attack-to-structured-logs' into 'master'

Changes RackAttack logger to use structured logs

Closes #54528

See merge request gitlab-org/gitlab-ce!28565
parents d64e6cab ed8ebc63
# frozen_string_literal: true
#
# Adds logging for all Rack Attack blocks and throttling events.
ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}")
Gitlab::AuthLogger.error(
message: 'Rack_Attack',
env: req.env['rack.attack.match_type'],
ip: req.ip,
request_method: req.request_method,
fullpath: req.fullpath
)
end
end
......@@ -280,6 +280,14 @@ installations from source.
Currently it logs the progress of project imports from the Bitbucket Server
importer. Future importers may use this file.
## `auth.log`
Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for
Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for
installations from source.
It logs information whenever [Rack Attack] registers an abusive request.
## Reconfigure Logs
Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab
......@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for
installations from source.
[repocheck]: repository_checks.md
[Rack Attack]: ../security/rack_attack.md
......@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps:
1. Find the IPs that have been blocked in the production log:
```sh
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
```
1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
......
# frozen_string_literal: true
module Gitlab
class AuthLogger < Gitlab::JsonLogger
def self.file_name_noext
'auth'
end
end
end
......@@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do
end
end
end
it 'logs RackAttack info into structured logs' do
requests_per_period.times do
get url_that_does_not_require_authentication
expect(response).to have_http_status 200
end
expect(Gitlab::AuthLogger).to receive(:error).once
get url_that_does_not_require_authentication
end
end
context 'when the throttle is disabled' do
......@@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do
expect_rejection { get url_that_requires_authentication }
end
it 'logs RackAttack info into structured logs' do
requests_per_period.times do
get url_that_requires_authentication
expect(response).to have_http_status 200
end
expect(Gitlab::AuthLogger).to receive(:error).once
get url_that_requires_authentication
end
end
context 'when the throttle is disabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment