Announcement

Collapse
No announcement yet.

Logging

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logging

    When an authenticated user connect to the Subversion server via TortoiseSVN or SVN client, I can see the user activities in the Subversion logs. However, when he log in via the web browser, there's no log entry in the log file at all. How do I configure Apache log to show that information? Thanks.

  • #2
    Web browser repository access via Apache should be logged by Apache by default. The log entries differ from TorgoiseSVN or SVN command line client by minimal amounts.

    Here's a few lines created by a single browse via Firefox:

    192.168.56.1 - - [24/Oct/2018:21:21:41 +0200] "GET /svn/first/ HTTP/1.1" 401 481 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0"
    192.168.56.1 - acct10001 [24/Oct/2018:21:21:43 +0200] "GET /svn/first/ HTTP/1.1" 200 769 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0"
    192.168.56.1 - - [24/Oct/2018:21:21:43 +0200] "GET /favicon.ico HTTP/1.1" 404 289 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0"

    Here's a few lines created by the command line tool "svn":

    192.168.56.205 - - [24/Oct/2018:21:23:59 +0200] "OPTIONS /svn/first HTTP/1.1" 401 481 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"
    192.168.56.205 - acct10001 [24/Oct/2018:21:23:59 +0200] "OPTIONS /svn/first HTTP/1.1" 200 189 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"
    192.168.56.205 - acct10001 [24/Oct/2018:21:24:02 +0200] "OPTIONS /svn/first HTTP/1.1" 200 97 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"
    192.168.56.205 - acct10001 [24/Oct/2018:21:24:02 +0200] "OPTIONS /svn/first HTTP/1.1" 200 189 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"
    192.168.56.205 - acct10001 [24/Oct/2018:21:24:02 +0200] "PROPFIND /svn/first/!svn/rvr/21 HTTP/1.1" 207 2903 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"
    192.168.56.205 - acct10001 [24/Oct/2018:21:24:02 +0200] "PROPFIND /svn/first/!svn/rvr/21 HTTP/1.1" 207 767 "-" "SVN/1.9.7 (x86_64-redhat-linux-gnu) serf/1.3.7"

    All of those lines were found in my "/var/log/httpd/access_log" file (it's a VM where I have not turned SSL on yet).

    NOTE: log entries will go to "access_log" if "http:" is used or to "ssl_access_log" if "https:" is used.

    Comment


    • #3
      DougR, thanks for the prompt reply. In our environment, we run SVN with Apache httpd server (by default), and we also have another Apache htttpd server to route requests to SVN Apache. In the 'another' Apache httpd server, I do see the entries when the user access SVN via the browser, but I don't see the user ID logged there, and I don't think Apache can log that info as it doesn't deal with authentication which SVN is configured to deal with. Unless I am missing something, I don't think that user ID data can be logged there.

      Comment


      • #4
        In general, Apache is doing AuthN and AuthZ one way or another if you are using either "http:" or "https:" type URLs.

        I've seen Apache do AuthZ via various "<Limit>" and "require" statements, but I consider those archaic since they are nearly impossible to properly manage with the newer SVN protocols.
        The only proper way to do AuthZ at this time is via the "AuthzSVNAccessFile" statement (well, you could always choose to enable all AuthN accounts full access to the repository - that's ok if it meets your use case). To do that loading "mod_dav_svn.so" and "mod_authz_svn.so" into Apache and requiring AuthN'd accounts.

        So, I'll ask: which of your 2 Apache servers has those modules loaded? Because the Apache server that has mod_dav_svn loaded should be logging those lines regardless of whether AuthN has taken place or not. Look up above and you'll find the 1st entry in both sets has "-" for the account name - that's because that access was unauthenticated.

        The other question I need to ask: Is all of your access is via "http:" (or "https:")? Or is some via "svn+ssh" or just "svn" or?

        Comment


        • #5
          Access is via https. The module is is the Apache server that comes with SVN. The log entry is there only when user accesses SVN via TortoiseSVN or SVN client.

          Comment


          • #6
            Are both Apache's running on the same box? Does the "other" Apache have the SVN plugin enabled and have access to the disk (e.g. via NFS)?

            Comment


            • #7
              On same box. No SVN plugin on the other one. Should I enable it there so that user ID is logged as well?

              Comment


              • #8
                Honestly, I've never run more than one Apache on a single server before. But if folks are using it to access SVN then it should have mod_dav_svn.so loaded (and likely mod_authz_svn), yes.

                Comment


                • #9
                  You meant to load these 2 modules in the proxy reverse proxy (the Apache web server)? The authentication is happening at the SVN Apache. So by adding these 2 module at the proxy side without authentication, the user ID data will be logged in the Apache log on the proxy side?

                  Comment


                  • #10
                    If all that the 2nd Apache is doing is being a reverse proxy then, no, don't add it there.

                    I'm assuming that the repository is properly identifying the accounts that are doing the checkins? If so, then you might need to handle this with a CustomLog for Subversion.

                    Comment


                    • #11
                      Yes I am able to get that info today. The problem is just that I donít get any log entires when user accesses via the web browser.

                      Comment


                      • #12
                        Are both Apache's logging to the same file? I would expect 2 different logs: perhaps one in /var/log/httpd/... and one in /var/log/httpd2/... ?

                        Comment


                        • #13
                          Yes, to diff log files. The proxy one doesnít give me the user id and the SVN gives me that but if accessing via a web browser, the SVN log shows no log entry at all.

                          Comment


                          • #14
                            Could you share your Apache config file for Subversion (redacting specific stuff you don't want seen)?

                            Comment

                            Working...
                            X