Project

General

Profile

Actions

Feature #12464

closed

Option to control log level of authentication messages in system logs ("Emergency" vs "Notice" level)

Added by Steve Wheeler over 2 years ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Logging
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default

Description

All authentication logs are send with the Level set as Emergency even when authentication is successful:

Syslog message: AUTH.EMERG: Oct 16 01:05:04 localhost php-fpm[337]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n
    0010 0... = Facility: AUTH - security/authorization messages (4)
    .... .000 = Level: EMERG - system is unusable (0)
    Message: Oct 16 01:05:04 localhost php-fpm[337]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n

This causes a problem for some syslog collectors that don't expect to see Emergency level messages unless 'system is unusable' is actually true.

It appears that is because we do not set a level to use in the log_auth function. This should probably be set as Level NOTICE.


Files

427.diff (498 Bytes) 427.diff Steve Wheeler, 10/16/2021 10:13 AM

Related issues

Related to Feature #14002: Option to enable/disable console bell, enabled by defaultResolvedJim Pingle

Actions
Actions #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review

The current behavior is intentional since it triggers the login "beep" and console message.

If we change this at all, it should key off the user option to suppress the login messages on system_advanced_admin.php. Instead of suppressing the log message entirely it could just change the level as done in the PR to stop the beeping. Or it could have three choices "Default (enabled)", "Log at lower level", and "Disabled" or something along those lines.

If a syslog server has a problem with certain log levels, that's on the user and their server to fix, not us.

Actions #3

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.6.0 to CE-Next
  • Plus Target Version changed from 22.01 to 22.05
Actions #4

Updated by Jim Pingle almost 2 years ago

  • Plus Target Version changed from 22.05 to 22.09
Actions #5

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.09 to 22.11
Actions #6

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #7

Updated by Jim Pingle over 1 year ago

  • Status changed from Pull Request Review to New
  • Plus Target Version changed from 23.01 to 23.05

Needs re-designed as I suggested, just lowering the log level unilaterally will have other unintended effects.

Actions #8

Updated by Jim Pingle about 1 year ago

  • Related to Feature #14002: Option to enable/disable console bell, enabled by default added
Actions #9

Updated by Jim Pingle about 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version changed from CE-Next to 2.7.0

Now that the console bell behavior is split off from this (See #14002) I think what we should do here is just keep the current option on/off but change the underlying behavior:

Current:

  • Checked: no log message
  • Unchecked: log message at LOG_AUTH (emergency) level

This is insecure because without the log message there is no log of the event at all, so I think we should do away with the option to completely disable the log message and instead go with:

  • Checked: log message at LOG_NOTICE|LOG_AUTH level so the actual level is reduced
  • Unchecked: log message at LOG_AUTH level

Between this option and the console bell option it should be able to get any of the desired behaviors but in a more secure manner.

Actions #10

Updated by Jim Pingle about 1 year ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #11

Updated by Azamat Khakimyanov 11 months ago

  • Status changed from Feedback to Resolved

Tested on 22.05 (built on Fri Apr 07 01:20:44 UTC 2023).

There is 'GUI login messages' option available in /System/Advanced/Admin Access.
After checking this option Syslog Auth messages were sent as NOTICE Level

I marked this Bug as resolved.

Actions #12

Updated by Jim Pingle 11 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from Syslog Auth messages are sent as Emergency Level to Option to control log level of authentication messages in system logs ("Emergency" vs "Notice" level)
  • Affected Version deleted (All)
  • Affected Architecture deleted (All)

Updating subject for release notes.

Actions

Also available in: Atom PDF