Username not logged in HTTP access logs

[gmr]

Currently, it appears there is no logging of a user who takes action in the main rabbit log or http access log. This is a bad thing, as one can not determine what user performed actions from a security investigation perspective.

• RabbitMQ version: 3.8.1
• Erlang version: 21.3.6

For example, a user with admin access created a generic role based user in our system today that violates our security policy. Ideally in both log areas where this action occurred, the username of that initiated the action would have been logged.

From the access logs:

127.0.0.1 - - [20/Dec/2019:13:59:33 +0000] "PUT /api/users/admin HTTP/1.0" 201 0 "https://common-rabbitmq.service.testing.consul/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15"
127.0.0.1 - - [20/Dec/2019:13:59:40 +0000] "PUT /api/permissions/%2F/admin HTTP/1.0" 201 0 "https://common-rabbitmq.service.testing.consul/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15"
127.0.0.1 - - [20/Dec/2019:14:44:25 +0000] "DELETE /api/users/admin HTTP/1.0" 204 0 "https://common-rabbitmq.service.testing.consul/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15"

From rabbitmq.log:

2019-12-20 13:59:33.930 [info] <0.21477.251> Creating user 'admin'
2019-12-20 13:59:33.939 [info] <0.21477.251> Setting user tags for user 'admin' to [administrator]
2019-12-20 13:59:40.106 [info] <0.21512.251> Setting permissions for 'admin' in '/' to '.*', '.*', '.*'

[michaelklishin]

These are standard HTTP server logs. They don't typically include acting user in, say, Nginx or Apache.

Acting user is already listed in internal events available via rabbitmq-event-exchange. Sometimes (e.g. when CLI tools are used) there will be no acting user. In any case, this does not belong to the management plugin. Please file a new issue about what kind of changes you would like to see for a specific event or message. And remember, sometimes there is no user that RabbitMQ can associate with an event.

[gmr]

FWIW the common log format, which is used by the plugin does include a field for the acting user.

See user-identifier in https://en.wikipedia.org/wiki/Common_Log_Format

[michaelklishin]

@essen is including additional information feasible with Cowboy 2? I could not find much since ninenines/cowboy#1251.

[essen]

We are still using the old module from Webmachine (modified for Cowboy) so it's just a matter of finding the user from the Req: https://github.com/rabbitmq/rabbitmq-web-dispatch/blob/master/src/webmachine_log_handler.erl

[michaelklishin]

@essen thanks. @gmr I haven't tweaked Apache log format in many years 👀 so may I ask for a common log format example you'd like us to use? 🙏

[gmr]

I'd just stick with common log format.

127.0.0.1 - - [20/Dec/2019:13:59:33 +0000] "PUT /api/users/admin HTTP/1.0" 201 0 "https://common-rabbitmq.service.testing.consul/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15"

Would become

127.0.0.1 - username - [20/Dec/2019:13:59:33 +0000] "PUT /api/users/admin HTTP/1.0" 201 0 "https://common-rabbitmq.service.testing.consul/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15"

[essen]

I have opened rabbitmq/rabbitmq-web-dispatch#42 for the HTTP/Management side of things.

[michaelklishin]

@essen are there other PRs involved? I can see username logged with just that one.

[michaelklishin]

Ah, I see that there's interest in having user information for every operation. While we already have that information in internal event metadata, it will be substantially more effort simply because there are so many events, and a user may or may not be present. Let's keep this issue specific to management plugin and if there's enough interest in logging specifically, we can always open another one. An audit plugin is what this is really asking for and we have the plumbing for that exposed via rabbit_event events.