How to extract information about 401 unauthorised user records from Bamboo server logs
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
There may be occasions when it is necessary to obtain a list of unauthorised users due to incorrect login credentials for auditing or other purposes. This KB describes how to extract 401 unauthorised user access records from Bamboo server logs.
環境
This has been tested on Bamboo 9.6.4 but it is applicable for other supported version of Bamboo
ソリューション
The login information and rest API request information can be obtained by grepping with the pattern AccessLogFilter from the <Bamboo-Home>/logs/atlassian-bamboo-access.log files (which contain IP address/user details). The following is an example Bamboo access log:
root@0a29ef90f34d:/var/atlassian/application-data/bamboo/logs# grep -i 'AccessLogFilter' atlassian-bamboo-access.log
2023-07-20 12:33:12,150 INFO [http-nio-8085-exec-7] [AccessLogFilter] admin POST https://linux-47255.prod.atl-cd.net/bamboo/admin/addLog4jEntry.action 1084321kb
2023-07-20 12:33:12,424 INFO [http-nio-8085-exec-10] [AccessLogFilter] admin GET https://linux-47255.prod.atl-cd.net/bamboo/admin/configLog4j.action 1048969kb
2023-07-20 12:33:13,587 INFO [http-nio-8085-exec-16] [AccessLogFilter] admin GET https://linux-47255.prod.atl-cd.net/bamboo/rest/troubleshooting/1.0/check/admin?_=1689856393033 1013273kb
2023-07-20 12:33:33,225 INFO [http-nio-8085-exec-17] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userLogout.action 1010340kb
2023-07-20 12:33:33,521 INFO [http-nio-8085-exec-15] [AccessLogFilter] 172.50.0.3 GET https://linux-47255.prod.atl-cd.net/bamboo/start.action 967962kb
2023-07-20 12:33:33,918 INFO [http-nio-8085-exec-19] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/rest/webResources/1.0/resources 958604kb
2023-07-20 12:33:35,089 INFO [http-nio-8085-exec-21] [AccessLogFilter] 172.50.0.3 GET https://linux-47255.prod.atl-cd.net/bamboo/userlogin!doDefault.action 958209kb
878856kb
This can be obtained by grepping for the pattern DefaultAuthenticator in the <Bamboo-Home>/logs/atlassian-bamboo.log files for the user's authentication information, as seen below:
root@0a29ef90f34d:/var/atlassian/application-data/bamboo/logs# grep -i 'DefaultAuthenticator' atlassian-bamboo.log
2023-07-20 12:33:41,845 INFO [http-nio-8085-exec-4] [DefaultAuthenticator] login : 'admin' could not be authenticated with the given password
For more Debug logs:
Enable debugging for the following classpaths to have Bamboo log more debug logs about login attempts so that you may check the failed login attempts and related user and IP address details:
com.atlassian.bamboo.user.authentication.BambooElevatedSecurityGuard, type All
com.atlassian.bamboo.filter.AccessLogFilter, type DEBUGAfter enabling debugging and observing the issue again, grep with the pattern BambooElevatedSecurityGuard from the most recent <Bamboo-home>/logs/atlassian-bamboo.log file and it will provide more information about unsuccessful login attempts, as shown in the sample below:
2023-07-20 12:33:41,845 TRACE [http-nio-8085-exec-4] [BambooElevatedSecurityGuard] Failed login attempt, userName=admin, IP=172.50.0.3
2023-07-20 12:34:20,774 INFO [http-nio-8085-exec-11] [DefaultAuthenticator] login : 'admin' could not be authenticated with the given password
2023-07-20 12:34:20,774 WARN [http-nio-8085-exec-11] [DefaultAuthenticator] login : 'admin' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2023-07-20 12:34:20,775 INFO [http-nio-8085-exec-11] [BambooAuthenticator] Finished doing authentication checks for admin, took 32.88 ms
2023-07-20 12:34:20,775 TRACE [http-nio-8085-exec-11] [BambooElevatedSecurityGuard] Failed login attempt, userName=admin, IP=172.50.0.3
Debug logs for the enabled classpath com.atlassian.bamboo.filter.AccessLogFilter can be found in the atlassian-bamboo-access.log files, as shown below:
2023-07-20 13:20:06,963 INFO [http-nio-8085-exec-11] [AccessLogFilter] 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userlogin.action 1618958kb
2023-07-20 13:20:07,087 DEBUG [http-nio-8085-exec-11] [AccessLogFilter] END: 200 172.50.0.3 POST https://linux-47255.prod.atl-cd.net/bamboo/userlogin.action 1618958kb-10743kb 124ms