This is an automated email from the ASF dual-hosted git repository.
jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new d2e5ddfe86 ARTEMIS-4210 audit connection creation & destruction
d2e5ddfe86 is described below
commit d2e5ddfe860671fb681077a76995a1a53685962a
Author: Justin Bertram <[email protected]>
AuthorDate: Fri Mar 17 11:42:59 2023 -0500
ARTEMIS-4210 audit connection creation & destruction
---
.../artemis/cli/commands/etc/log4j2.properties | 4 ++
.../apache/activemq/artemis/logs/AuditLogger.java | 47 +++++++++++++++-------
.../remoting/server/impl/RemotingServiceImpl.java | 7 ++++
.../core/security/impl/SecurityStoreImpl.java | 4 +-
.../core/server/management/BasicAuthenticator.java | 2 +-
.../core/server/management/JaasAuthenticator.java | 2 +-
docs/user-manual/en/logging.md | 11 ++++-
7 files changed, 57 insertions(+), 20 deletions(-)
diff --git
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/log4j2.properties
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/log4j2.properties
index 43905fae7e..738e69891f 100644
---
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/log4j2.properties
+++
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/log4j2.properties
@@ -50,6 +50,10 @@ logger.audit_message = OFF, audit_log_file
logger.audit_message.name = org.apache.activemq.audit.message
logger.audit_message.additivity = false
+logger.audit_connection = OFF, audit_log_file
+logger.audit_connection.name = org.apache.activemq.audit.connection
+logger.audit_connection.additivity = false
+
# Jetty logger levels
logger.jetty.name=org.eclipse.jetty
logger.jetty.level=WARN
diff --git
a/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
b/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
index 961cb1c8f8..982102e8f8 100644
---
a/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
+++
b/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
@@ -37,18 +37,19 @@ public interface AuditLogger {
AuditLogger BASE_LOGGER = BundleFactory.newBundle(AuditLogger.class,
"org.apache.activemq.audit.base");
AuditLogger RESOURCE_LOGGER = BundleFactory.newBundle(AuditLogger.class,
"org.apache.activemq.audit.resource");
AuditLogger MESSAGE_LOGGER = BundleFactory.newBundle(AuditLogger.class,
"org.apache.activemq.audit.message");
+ AuditLogger CONNECTION_LOGGER = BundleFactory.newBundle(AuditLogger.class,
"org.apache.activemq.audit.connection");
ThreadLocal<String> remoteAddress = new ThreadLocal<>();
ThreadLocal<Subject> currentCaller = new ThreadLocal<>();
- static boolean isAnyLoggingEnabled() {
- return isBaseLoggingEnabled() || isMessageLoggingEnabled() ||
isResourceLoggingEnabled();
- }
-
@GetLogger
Logger getLogger();
+ static boolean isAnyLoggingEnabled() {
+ return isBaseLoggingEnabled() || isMessageLoggingEnabled() ||
isResourceLoggingEnabled() || isConnectionLoggingEnabled();
+ }
+
static boolean isBaseLoggingEnabled() {
return BASE_LOGGER.getLogger().isInfoEnabled();
}
@@ -61,6 +62,10 @@ public interface AuditLogger {
return MESSAGE_LOGGER.getLogger().isInfoEnabled();
}
+ static boolean isConnectionLoggingEnabled() {
+ return CONNECTION_LOGGER.getLogger().isInfoEnabled();
+ }
+
/**
* @return a String representing the "caller" in the format
"user(role)@remoteAddress" using ThreadLocal values (if set)
*/
@@ -2255,28 +2260,28 @@ public interface AuditLogger {
@LogMessage(id = 601714, value = "User {} failed to remove messages from
queue: {}", level = LogMessage.Level.INFO)
void removeMessagesFailure(String user, String queue);
- static void userSuccesfullyAuthenticatedInAudit(Subject subject, String
remoteAddress) {
- RESOURCE_LOGGER.userSuccesfullyAuthenticated(getCaller(subject,
remoteAddress));
+ static void userSuccesfullyAuthenticatedInAudit(Subject subject, String
remoteAddress, String connectionID) {
+ RESOURCE_LOGGER.userSuccesfullyAuthenticated(getCaller(subject,
remoteAddress), connectionID);
}
static void userSuccesfullyAuthenticatedInAudit(Subject subject) {
- userSuccesfullyAuthenticatedInAudit(subject, null);
+ userSuccesfullyAuthenticatedInAudit(subject, null, null);
}
- @LogMessage(id = 601715, value = "User {} successfully authenticated",
level = LogMessage.Level.INFO)
- void userSuccesfullyAuthenticated(String caller);
+ @LogMessage(id = 601715, value = "User {} successfully authenticated on
connection {}", level = LogMessage.Level.INFO)
+ void userSuccesfullyAuthenticated(String caller, String connectionID);
static void userFailedAuthenticationInAudit(String reason) {
- RESOURCE_LOGGER.userFailedAuthentication(getCaller(), reason);
+ RESOURCE_LOGGER.userFailedAuthentication(getCaller(), null, reason);
}
- static void userFailedAuthenticationInAudit(Subject subject, String reason)
{
- RESOURCE_LOGGER.userFailedAuthentication(getCaller(subject, null),
reason);
+ static void userFailedAuthenticationInAudit(Subject subject, String reason,
String connectionID) {
+ RESOURCE_LOGGER.userFailedAuthentication(getCaller(subject, null),
connectionID, reason);
}
- @LogMessage(id = 601716, value = "User {} failed authentication, reason:
{}", level = LogMessage.Level.INFO)
- void userFailedAuthentication(String user, String reason);
+ @LogMessage(id = 601716, value = "User {} failed authentication on
connection {}, reason: {}", level = LogMessage.Level.INFO)
+ void userFailedAuthentication(String user, String connectionID, String
reason);
static void objectInvokedSuccessfully(ObjectName objectName, String
operationName) {
RESOURCE_LOGGER.objectInvokedSuccessfully(getCaller(), objectName,
operationName);
@@ -2639,4 +2644,18 @@ public interface AuditLogger {
@LogMessage(id = 601766, value = "User {} is getting auto-delete property
on target resource: {}", level = LogMessage.Level.INFO)
void isAutoDelete(String user, Object source);
+
+ static void createdConnection(String protocol, Object connectionID, String
remoteAddress) {
+ CONNECTION_LOGGER.createdConnection(protocol, connectionID.toString(),
String.format("unknown%s", formatRemoteAddress(remoteAddress)));
+ }
+
+ @LogMessage(id = 601767, value = "{} connection {} for user {} created",
level = LogMessage.Level.INFO)
+ void createdConnection(String protocol, String connectionID, String user);
+
+ static void destroyedConnection(String protocol, Object connectionID,
Subject subject, String remoteAddress) {
+ CONNECTION_LOGGER.destroyedConnection(protocol, connectionID.toString(),
getCaller(subject, remoteAddress));
+ }
+
+ @LogMessage(id = 601768, value = "{} connection {} for user {} destroyed",
level = LogMessage.Level.INFO)
+ void destroyedConnection(String protocol, String connectionID, String user);
}
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/server/impl/RemotingServiceImpl.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/server/impl/RemotingServiceImpl.java
index 011c212895..ec2ece6835 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/server/impl/RemotingServiceImpl.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/remoting/server/impl/RemotingServiceImpl.java
@@ -61,6 +61,7 @@ import
org.apache.activemq.artemis.core.server.ServiceRegistry;
import org.apache.activemq.artemis.core.server.cluster.ClusterConnection;
import org.apache.activemq.artemis.core.server.cluster.ClusterManager;
import org.apache.activemq.artemis.core.server.management.ManagementService;
+import org.apache.activemq.artemis.logs.AuditLogger;
import org.apache.activemq.artemis.spi.core.protocol.ConnectionEntry;
import org.apache.activemq.artemis.spi.core.protocol.MessagePersister;
import org.apache.activemq.artemis.spi.core.protocol.ProtocolManager;
@@ -486,6 +487,9 @@ public class RemotingServiceImpl implements
RemotingService, ServerConnectionLif
ConnectionEntry entry = connections.remove(remotingConnectionID);
if (entry != null) {
+ if (AuditLogger.isConnectionLoggingEnabled()) {
+
AuditLogger.destroyedConnection(entry.connection.getProtocolName(),
entry.connection.getID().toString(), entry.connection.getSubject(),
entry.connection.getRemoteAddress());
+ }
if (logger.isDebugEnabled()) {
logger.debug("RemotingServiceImpl::removing succeeded connection
ID {}, we now have {} connections", remotingConnectionID, connections.size());
}
@@ -577,6 +581,9 @@ public class RemotingServiceImpl implements
RemotingService, ServerConnectionLif
@Override
public void addConnectionEntry(Connection connection, ConnectionEntry
entry) {
connections.put(connection.getID(), entry);
+ if (AuditLogger.isConnectionLoggingEnabled()) {
+
AuditLogger.createdConnection(connection.getProtocolConnection().getProtocolName(),
connection.getID(), connection.getRemoteAddress());
+ }
if (logger.isDebugEnabled()) {
logger.debug("Adding connection {}, we now have {}",
connection.getID(), connections.size());
}
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
index ca671dfaac..d4301be5cf 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
@@ -211,7 +211,7 @@ public class SecurityStoreImpl implements SecurityStore,
HierarchicalRepositoryC
connection.setSubject(subject);
}
if (AuditLogger.isResourceLoggingEnabled()) {
- AuditLogger.userSuccesfullyAuthenticatedInAudit(subject,
connection.getRemoteAddress());
+ AuditLogger.userSuccesfullyAuthenticatedInAudit(subject,
connection.getRemoteAddress(), connection.getID().toString());
}
return validatedUser;
@@ -380,7 +380,7 @@ public class SecurityStoreImpl implements SecurityStore,
HierarchicalRepositoryC
ActiveMQServerLogger.LOGGER.securityProblemWhileAuthenticating(e.getMessage());
if (AuditLogger.isResourceLoggingEnabled()) {
- AuditLogger.userFailedAuthenticationInAudit(null, e.getMessage());
+ AuditLogger.userFailedAuthenticationInAudit(null, e.getMessage(),
connection.getID().toString());
}
throw e;
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/BasicAuthenticator.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/BasicAuthenticator.java
index e23a4c2cda..80a8b6584e 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/BasicAuthenticator.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/BasicAuthenticator.java
@@ -48,7 +48,7 @@ public class BasicAuthenticator implements JMXAuthenticator {
return result;
} else {
if (AuditLogger.isResourceLoggingEnabled()) {
- AuditLogger.userFailedAuthenticationInAudit(result, null);
+ AuditLogger.userFailedAuthenticationInAudit(result, null, null);
}
throw new SecurityException("Authentication failed");
}
diff --git
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JaasAuthenticator.java
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JaasAuthenticator.java
index 1c440b37d8..233c95f514 100644
---
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JaasAuthenticator.java
+++
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/JaasAuthenticator.java
@@ -79,7 +79,7 @@ public class JaasAuthenticator implements JMXAuthenticator {
return subject;
} catch (LoginException e) {
if (AuditLogger.isResourceLoggingEnabled()) {
- AuditLogger.userFailedAuthenticationInAudit(subject,
e.getMessage());
+ AuditLogger.userFailedAuthenticationInAudit(subject,
e.getMessage(), null);
}
throw new SecurityException("Authentication failed", e);
}
diff --git a/docs/user-manual/en/logging.md b/docs/user-manual/en/logging.md
index ded567dd27..39fdb6faff 100644
--- a/docs/user-manual/en/logging.md
+++ b/docs/user-manual/en/logging.md
@@ -121,6 +121,7 @@ different types of broker events, these are:
The main purpose of this is to track console activity and access
to the broker.
3. **message**: This logs the production and consumption of messages.
+3. **connection**: This logs the creation and destruction of connections.
> **Note:**
>
@@ -144,6 +145,10 @@ logger.audit_resource.additivity = false
logger.audit_message = OFF, audit_log_file
logger.audit_message.name = org.apache.activemq.audit.message
logger.audit_message.additivity = false
+
+logger.audit_connection = OFF, audit_log_file
+logger.audit_connection.name = org.apache.activemq.audit.connection
+logger.audit_connection.additivity = false
...
```
@@ -155,12 +160,14 @@ logger.audit_base = INFO, audit_log_file
logger.audit_resource = INFO, audit_log_file
...
logger.audit_message = INFO, audit_log_file
+...
+logger.audit_connection = INFO, audit_log_file
```
-The 3 audit loggers can be disable/enabled separately.
+The 4 audit loggers can be disable/enabled separately.
Once enabled, all audit records are written into a separate log
-file (by default audit.log).
+file (by default `audit.log`).
## More on Log4J2 configuration:
