Patch #9281

easy logging of usernames in apache access logs via custom response header

Added by Robert Hailey over 10 years ago. Updated over 10 years ago.

Status:NewStart date:2011-09-20
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:Administration
Target version:-

loggable_usernames.patch Magnifier (506 Bytes) Robert Hailey, 2011-09-20 07:20

History

#1 Updated by Karel Pičman over 10 years ago

Can you provide an information how to configure Apache web sever to see this information in the access log? I've added this line in my httpd.conf:

LogFormat "%h %l %u %t \"%r\" %>s %b" common

but there is just '-' instead of a user name in the log file:

192.168.xxx.xxx - - [26/Sep/2011:13:35:14 +0200] "GET /javascripts/application.js?1310384844 HTTP/1.1" 304 229 "https://xxxx/projects/xxxx" "Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

From my point of view there should be :

response.headers["X-Username"] = User.current.login

instead of:
response.headers["X-Username"] = User.current.name(:username)

because the login is unique, not the user name.

#2 Updated by Robert Hailey over 10 years ago

Can you provide an information how to configure Apache web sever to see this information in the access log?

Rather than "%s" you should use "%{X-Username}o".

For example, I've created an "alternate" logging scheme in my httpd.conf:

LogFormat "%{%F %Tz}t %h %{X-Username}o \"%r\" %>s %O %D" alternate

...and then in the redmine-specific config:

CustomLog /var/log/apache2/access_redmine.log alternate

...which yields log lines like this:

2011-09-26 14:03:50z xxx.xxx.xxx.xxx rhailey "GET /news/3 HTTP/1.1" 200 3790 313207

From my point of view there should be [...] instead of [...]
because the login is unique, not the user name.

I'm not familiar with the inner workings of redmine, or ruby in general. It took me some time to come up with that patch, and at one time I had tried 'login' and it did not work (in retrospect, it was probably a different issue).

As best I can tell, the name(:username) syntax reduces to 'login', but at the cost of a function call.

#3 Updated by Robert Hailey over 10 years ago

...typo, I meant rather than "%u"...

#4 Updated by Karel Pičman over 10 years ago

Thanks. It works fine now. Unfortunately the user is not logged by all log records:

192.xxx.xxx.xxx - - picmank [27/Sep/2011:09:35:13 +0200] "GET /my/account HTTP/1.1" 200 6612 "https://xxx/" "Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 
192.xxx.xxx.xxx - - - [27/Sep/2011:09:35:13 +0200] "GET /javascripts/prototype.js?1310384844 HTTP/1.1" 304 229 "https://xxx/my/account" "Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

#5 Updated by Robert Hailey over 10 years ago

... the user is not logged by all log records:

True, it is unfortunate that this does not log the usernames that access static files, but it gets all the "important" log lines (GET with database access, and POST modifications).

I'm not sure logging usernames for static final access is practical (can you intercept a request for a file?).

In any event, I'm glad it's working for you.

Also available in: Atom PDF