Syslog Auth messages are sent as Emergency Level
All authentication logs are send with the Level set as Emergency even when authentication is successful:
Syslog message: AUTH.EMERG: Oct 16 01:05:04 localhost php-fpm: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n 0010 0... = Facility: AUTH - security/authorization messages (4) .... .000 = Level: EMERG - system is unusable (0) Message: Oct 16 01:05:04 localhost php-fpm: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n
This causes a problem for some syslog collectors that don't expect to see Emergency level messages unless 'system is unusable' is actually true.
It appears that is because we do not set a level to use in the log_auth function. This should probably be set as Level NOTICE.
Updated by Jim Pingle 7 months ago
- Status changed from New to Pull Request Review
The current behavior is intentional since it triggers the login "beep" and console message.
If we change this at all, it should key off the user option to suppress the login messages on
system_advanced_admin.php. Instead of suppressing the log message entirely it could just change the level as done in the PR to stop the beeping. Or it could have three choices "Default (enabled)", "Log at lower level", and "Disabled" or something along those lines.
If a syslog server has a problem with certain log levels, that's on the user and their server to fix, not us.