Feature #12464
closed
Option to control log level of authentication messages in system logs ("Emergency" vs "Notice" level)
100%
Description
All authentication logs are send with the Level set as Emergency even when authentication is successful:
Syslog message: AUTH.EMERG: Oct 16 01:05:04 localhost php-fpm[337]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n
0010 0... = Facility: AUTH - security/authorization messages (4)
.... .000 = Level: EMERG - system is unusable (0)
Message: Oct 16 01:05:04 localhost php-fpm[337]: /index.php: Successful login for user 'admin' from: 172.21.16.5 (Local Database)\n
This causes a problem for some syslog collectors that don't expect to see Emergency level messages unless 'system is unusable' is actually true.
It appears that is because we do not set a level to use in the log_auth function. This should probably be set as Level NOTICE.
Files
Related issues
Updated by Steve Wheeler about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
The current behavior is intentional since it triggers the login "beep" and console message.
If we change this at all, it should key off the user option to suppress the login messages on system_advanced_admin.php. Instead of suppressing the log message entirely it could just change the level as done in the PR to stop the beeping. Or it could have three choices "Default (enabled)", "Log at lower level", and "Disabled" or something along those lines.
If a syslog server has a problem with certain log levels, that's on the user and their server to fix, not us.
Updated by Jim Pingle almost 3 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to 22.05
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.05 to 22.09
Updated by Jim Pingle over 2 years ago
- Plus Target Version changed from 22.09 to 22.11
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
- Status changed from Pull Request Review to New
- Plus Target Version changed from 23.01 to 23.05
Needs re-designed as I suggested, just lowering the log level unilaterally will have other unintended effects.
Updated by Jim Pingle over 1 year ago
- Related to Feature #14002: Option to enable/disable console bell, enabled by default added
Updated by Jim Pingle over 1 year ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version changed from CE-Next to 2.7.0
Now that the console bell behavior is split off from this (See #14002) I think what we should do here is just keep the current option on/off but change the underlying behavior:
Current:
- Checked: no log message
- Unchecked: log message at
LOG_AUTH(emergency) level
This is insecure because without the log message there is no log of the event at all, so I think we should do away with the option to completely disable the log message and instead go with:
- Checked: log message at
LOG_NOTICE|LOG_AUTHlevel so the actual level is reduced - Unchecked: log message at
LOG_AUTHlevel
Between this option and the console bell option it should be able to get any of the desired behaviors but in a more secure manner.
Updated by Jim Pingle over 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 6c186dae17fe41851c2ee3bb72852178596f2652.
Updated by Azamat Khakimyanov over 1 year ago
- Status changed from Feedback to Resolved
Tested on 22.05 (built on Fri Apr 07 01:20:44 UTC 2023).
There is 'GUI login messages' option available in /System/Advanced/Admin Access.
After checking this option Syslog Auth messages were sent as NOTICE Level
I marked this Bug as resolved.
Updated by Jim Pingle over 1 year ago
- Tracker changed from Bug to Feature
- Subject changed from Syslog Auth messages are sent as Emergency Level to Option to control log level of authentication messages in system logs ("Emergency" vs "Notice" level)
- Affected Version deleted (
All) - Affected Architecture deleted (
All)
Updating subject for release notes.