Project

General

Profile

[Solved] logging auth to a separate file

Added by yurylankovskiy almost 2 years ago

I have searched through the forum, and made experiments with lighttpd configuration. Looks as login attempts from basic/digest authentication are logged to lighttpd error file and only visible when auth.debug mode is set to verbose (2).

I would like to have login attempts logged to a separate file, and with some useful information like client browser, ip, mac etc.

Thank you


Replies (12)

RE: logging auth to a separate file - Added by gstrauss almost 2 years ago

401 Unauthorized will be in your access log (if you have that enabled) when someone fails to log in.
What are you attempting to log? For successful logins, you can add a custom log format to access log to log the request environment variable REMOTE_USER with each request.

I would like to have login attempts logged to a separate file, and with some useful information like client browser, ip, mac etc.

If you want to log every single request, then log the Authorization request header with every request, along with any other info you desire in your access log. See Docs_ModAccessLog.

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy almost 2 years ago

Looks like I must catch the header and write to a file I specify like so...

if ($REQUEST_HEADER['Authorization']) {
// specify filename for accesslog.filename
}

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy almost 2 years ago

Meanwhile I have been waiting for official 1.4.46 release, I have downloaded the latest code from git repository and began testing with $REQUEST_HEADER in the configuration file.

However, I get the following error for REQUEST_HEADER command

$REQUEST_HEADER["Authorization"] == "test" {

}

Error :

(configfile.c 1037) invalid character in condition
(configfile.c 1141) configfile parser failed at REQUEST

I know that the example of my code above will not lead to any solution discussed in the original question, but the fact that the REQUEST_HEADER command is not recognized by itself is an issue that must be understood firstly.

Thank you

RE: [Solved] logging auth to a separate file - Added by gstrauss almost 2 years ago

Hmmm. Thanks for reporting that. The tag was originally named and tested as something else.

--- a/src/configfile.c
+++ b/src/configfile.c
@@ -1024,7 +1024,7 @@ static int config_tokenizer(server *srv, tokenizer_t *t, int *token_id, buffer *
                        if (t->in_cond) {
                                for (i = 0; t->input[t->offset + i] &&
                                     (isalpha((unsigned char)t->input[t->offset + i])
-                                     ); i++);
+                                     || t->input[t->offset + i] == '_'); ++i);

                                if (i && t->input[t->offset + i]) {
                                        tid = TK_SRVVARNAME;

I'll look further tomorrow to verify that this is the right fix.

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy almost 2 years ago

Is there a possibility I will be able to test the fix, I have checked the git repository and looks like the fix has not been pushed?

Thank you

RE: [Solved] logging auth to a separate file - Added by gstrauss almost 2 years ago

Not pushed yet. I have not had a chance to do additional testing. I will hopefully have a chance before tomorrow.

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy almost 2 years ago

Thank you, will test it out!

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy almost 2 years ago

Tested, working.

Thank you

P.S: any news on the release date for 1.4.46?

RE: [Solved] logging auth to a separate file - Added by gstrauss over 1 year ago

yurylankovskiy, please do not cross-post to very old forum posts (https://redmine.lighttpd.net/boards/2/topics/5462)

Sorry to bring up an old thread, but have you figured out how to log meaningful information for authentication attempts?

because it is already asked and answered here, in the same question that you asked here 7 month ago. Log the Authentication header.

RE: [Solved] logging auth to a separate file - Added by yurylankovskiy over 1 year ago

Okay, sorry ... let me bring up the old topic here

Firstly, regarding catching login requests, I must check for authorization header and nc counter, however, this DOES NOT work in all browsers because some of them always send nc=000001 and I have no way of finding whether this was a login request or just a regular page load.

Secondly, I must have specified more clearly in the other thread that my interest right now is SYSLOG and how am I suppose to distinguish login requests in the messages there?!

RE: [Solved] logging auth to a separate file - Added by gstrauss over 1 year ago

Whether you send logs to a file or to syslog should not make a difference. You probably have unstated and likely incorrect assumptions about how HTTP request/response works, or how HTTP Digest authentication works. Check the RFCs. I do not think that your issue has anything to do with whether you use lighttpd or another web server.

If you need to control the authentication process to the degree that you think you do, and are unable to get this information by logging the Authentication request header, the request (e.g. "GET /login"), and the status code of the HTTP response, then I suggest you look into using a custom FastCGI authorizer Docs_FastCGI where you will have full control over the authentication process.

    (1-12/12)