CLDSRV-750: add Server Access Logs

Author: leif-scality

config.json

@@ -149,5 +149,9 @@
     },
     "integrityChecks": {
         "objectPutRetention": true
+    },
+    "serverAccessLogs": {
+        "enabled": true,
+        "outputFile": "./logs/server-access.log"
     }
 }

lib/Config.js

@@ -574,6 +574,27 @@ function parseIntegrityChecks(config) {
     return integrityChecks;
 }
 
+function parseServerAccessLogs(config) {
+    let res = {
+        enabled: true,
+        outputFile: './logs/server-access.log',
+    };
+
+    if (config && config.serverAccessLogs) {
+        if ('enabled' in config.serverAccessLogs) {
+            assert(typeof config.serverAccessLogs.enabled === 'boolean');
+            res.enabled = config.serverAccessLogs.enabled;
+        }
+
+        if ('outputFile' in config.serverAccessLogs) {
+            assert(typeof config.serverAccessLogs.outputFile === 'string');
+            res.outputFile = config.serverAccessLogs.outputFile;
+        }
+    }
+
+    return res;
+}
+
 /**
  * Reads from a config file and returns the content as a config object
  */
@@ -1785,7 +1806,7 @@ class Config extends EventEmitter {
             }
         }
         this.integrityChecks = parseIntegrityChecks(config);
-
+        this.serverAccessLogs = parseServerAccessLogs(config);
         /**
          * S3C-10336: PutObject max size of 5GB is new in 9.5.1
          * Provides a way to bypass the new validation if it breaks customer workflows

lib/api/api.js

@@ -264,6 +264,8 @@ const api = {
                 });
 
                 request.on('end', () => {
+                    request.serverAccessLog.startTurnAroundTime = process.hrtime.bigint();
+
                     if (bodyLength > MAX_BODY_LENGTH) {
                         log.error('body length is too long for request type',
                                   { bodyLength });

lib/metadata/metadataUtils.js

@@ -274,6 +274,14 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
                 contentLength, withVersionId, log, err => next(err, bucket, objMD));
         },
     ], (err, bucket, objMD) => {
+        if (bucket.getBucketLoggingStatus() && bucket.getBucketLoggingStatus().getLoggingEnabled()) {
+            request.serverAccessLog.enabled = true;
+            request.serverAccessLog.bucketOwner = bucket.getOwner();
+            request.serverAccessLog.bucketName = bucketName;
+            request.serverAccessLog.authInfo = authInfo;
+            request.serverAccessLog.loggingEnabled = bucket.getBucketLoggingStatus().getLoggingEnabled();
+        }
+
         if (err) {
             // still return bucket for cors headers
             return callback(err, bucket);
@@ -306,6 +314,14 @@ function standardMetadataValidateBucket(params, actionImplicitDenies, log, callb
             return callback(err);
         }
         const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
+        if (bucket.getBucketLoggingStatus() && bucket.getBucketLoggingStatus().getLoggingEnabled()) {
+            params.request.serverAccessLog.enabled = true;
+            params.request.serverAccessLog.bucketOwner = bucket.getOwner();
+            params.request.serverAccessLog.bucketName = bucketName;
+            params.request.serverAccessLog.authInfo = params.authInfo;
+            params.request.serverAccessLog.authInfo = params.authInfo;
+            params.request.serverAccessLog.loggingEnabled = bucket.getBucketLoggingStatus().getLoggingEnabled();
+        }
         return callback(validationError, bucket);
     });
 }

lib/server.js

@@ -26,6 +26,7 @@ const {
 
 const HttpAgent = require('agentkeepalive');
 const QuotaService = require('./utilization/instance');
+const { logServerAccess } = require('./utilities/serverAccesssLogger');
 const { parseLC, MultipleBackendGateway } = arsenal.storage.data;
 const websiteEndpoints = _config.websiteEndpoints;
 let client = dataWrapper.client;
@@ -122,6 +123,19 @@ class S3Server {
         monitoringClient.httpActiveRequests.inc();
         const requestStartTime = process.hrtime.bigint();
 
+        req.serverAccessLog = {
+            enabled: false,
+            startTime: requestStartTime,
+        };
+        res.serverAccessLog = {};
+
+        res.on('finish', () => {
+            req.serverAccessLog.endTime = process.hrtime.bigint();
+            req.serverAccessLog.errorCode = res.serverAccessLog.errorCode;
+            req.serverAccessLog.endTurnAroundTime = res.serverAccessLog.endTurnAroundTime;
+            logServerAccess(req.serverAccessLog, req, res);
+        });
+ 
         // disable nagle algorithm
         req.socket.setNoDelay();
         res.on('close', () => {

lib/utilities/serverAccesssLogger.js

@@ -0,0 +1,279 @@
+const { Werelogs } = require('werelogs');
+const { config } = require('../Config');
+const fs = require('fs');
+const path = require('path');
+
+const DEFAULT_OUTPUT_FILE = './logs/api-operations.log';
+
+function createServerAccessLogger() {
+    if (!config.serverAccessLogs || !config.serverAccessLogs.enabled) {
+        console.warn("ServerAccessLogs disabled returning no-op logger");
+        return {
+            info: () => { },
+            debug: () => { },
+            warn: () => { },
+            error: () => { },
+            trace: () => { },
+            fatal: () => { },
+        };
+    }
+
+    // Ensure logs directory exists
+    const outputFile = config.serverAccessLogs.outputFile || DEFAULT_OUTPUT_FILE;
+    const logDir = path.dirname(outputFile);
+
+    try {
+        if (!fs.existsSync(logDir)) {
+            fs.mkdirSync(logDir, { recursive: true });
+        }
+    } catch (error) {
+        // Fall back to console-only logging if directory creation fails
+        console.warn('Failed to create ServerAccess log directory, falling back to console logging:', error.message);
+
+        let apiWerelogs = new Werelogs({
+            level: config.serverAccessLogs.logLevel || 'info',
+            dump: config.serverAccessLogs.dumpLevel || 'error',
+            streams: [
+                { level: 'trace', stream: process.stdout }
+            ]
+        });
+
+        return new apiWerelogs.Logger('ServerAccessLogger');
+    }
+
+    // Create file stream for API logs
+    const serverAccessLogStream = fs.createWriteStream(outputFile, { flags: 'a' });
+
+    // Handle stream errors
+    serverAccessLogStream.on('error', error => {
+        console.error('ServerAccessLogger log file stream error:', error);
+    });
+
+    // Create the API-specific Werelogs instance - file output only
+    apiWerelogs = new Werelogs({
+        level: config.serverAccessLogs.logLevel || 'info',
+        dump: config.serverAccessLogs.dumpLevel || 'error',
+        streams: [{ level: 'trace', stream: serverAccessLogStream }]
+    });
+    console.info("ServerAccessLogger created successfully");
+    return new apiWerelogs.Logger('ServerAccessLogger');
+}
+
+var serverAccessLogger = {
+    info: () => { },
+    debug: () => { },
+    warn: () => { },
+    error: () => { },
+    trace: () => { },
+    fatal: () => { },
+};
+
+
+try {
+    serverAccessLogger = createServerAccessLogger();
+} catch (error) {
+    console.error('Failed to create ServiceAccessLogger, using no-op logger:', error);
+}
+
+function getRemoteIPFromRequest(request) {
+    let remoteIP = '-';
+    if (request.headers) {
+        // Check for forwarded IP headers (proxy/load balancer scenarios)
+        remoteIP = request.headers['x-forwarded-for'] ||
+            request.headers['x-real-ip'] ||
+            request.headers['x-client-ip'] ||
+            request.headers['cf-connecting-ip']; // Cloudflare
+
+        // x-forwarded-for can contain multiple IPs, take the first one
+        if (remoteIP && remoteIP.includes(',')) {
+            remoteIP = remoteIP.split(',')[0].trim();
+        }
+    }
+
+    // Fallback to connection remote address if no forwarded headers
+    if (!remoteIP || remoteIP === '-') {
+        remoteIP = (request.connection && request.connection.remoteAddress) ||
+            (request.socket && request.socket.remoteAddress) ||
+            (request.ip) ||
+            '-';
+    }
+
+    return remoteIP;
+}
+
+function getOperation(req) {
+    const methodToResType = Object.freeze({
+        'bucketDelete': 'BUCKET',
+        'bucketDeleteCors': 'BUCKET',
+        'bucketDeleteEncryption': 'BUCKET',
+        'bucketDeleteWebsite': 'BUCKET',
+        'bucketGet': 'BUCKET',
+        'bucketGetACL': 'BUCKET',
+        'bucketGetCors': 'BUCKET',
+        'bucketGetObjectLock': 'BUCKET',
+        'bucketGetVersioning': 'VERSIONING',
+        'bucketGetWebsite': 'BUCKET',
+        'bucketGetLocation': 'BUCKET',
+        'bucketGetEncryption': 'BUCKET',
+        'bucketHead': 'BUCKET',
+        'bucketPut': 'BUCKET',
+        'bucketPutACL': 'BUCKET',
+        'bucketPutCors': 'BUCKET',
+        'bucketPutVersioning': 'VERSIONING',
+        'bucketPutTagging': 'BUCKET',
+        'bucketDeleteTagging': 'BUCKET',
+        'bucketGetTagging': 'BUCKET',
+        'bucketPutWebsite': 'BUCKET',
+        'bucketPutReplication': 'BUCKET',
+        'bucketGetReplication': 'BUCKET',
+        'bucketDeleteReplication': 'BUCKET',
+        'bucketDeleteQuota': 'BUCKET',
+        'bucketPutLifecycle': 'BUCKET',
+        'bucketUpdateQuota': 'BUCKET',
+        'bucketGetLifecycle': 'BUCKET',
+        'bucketDeleteLifecycle': 'BUCKET',
+        'bucketPutPolicy': 'BUCKETPOLICY',
+        'bucketGetPolicy': 'BUCKETPOLICY',
+        'bucketGetQuota': 'BUCKET',
+        'bucketDeletePolicy': 'BUCKETPOLICY',
+        'bucketPutObjectLock': 'BUCKET',
+        'bucketPutNotification': 'BUCKET',
+        'bucketGetNotification': 'BUCKET',
+        'bucketPutEncryption': 'BUCKET',
+        'bucketPutLogging': 'LOGGING_STATUS',
+        'bucketGetLogging': 'LOGGING_STATUS',
+        // 'corsPreflight': '',
+        'completeMultipartUpload': 'OBJECT',
+        'initiateMultipartUpload': 'OBJECT',
+        'listMultipartUploads': 'OBJECT',
+        'listParts': 'OBJECT',
+        'metadataSearch': 'OBJECT',
+        'multiObjectDelete': 'OBJECT',
+        'multipartDelete': 'OBJECT',
+        'objectDelete': 'OBJECT',
+        'objectDeleteTagging': 'OBJECT',
+        'objectGet': 'OBJECT',
+        'objectGetACL': 'OBJECT',
+        'objectGetLegalHold': 'OBJECT',
+        'objectGetRetention': 'OBJECT',
+        'objectGetTagging': 'OBJECT',
+        'objectCopy': 'OBJECT',
+        'objectHead': 'OBJECT',
+        'objectPut': 'OBJECT',
+        'objectPutACL': 'OBJECT',
+        'objectPutLegalHold': 'OBJECT',
+        'objectPutTagging': 'OBJECT',
+        'objectPutPart': 'OBJECT',
+        'objectPutCopyPart': 'OBJECT',
+        'objectPutRetention': 'OBJECT',
+        'objectRestore': 'OBJECT',
+        // 'serviceGet': '',
+        // 'websiteGet': '',
+        // 'websiteHead': '',
+    });
+
+    return `REST.${req.method}.${methodToResType[req.apiMethod] ? methodToResType[req.apiMethod] : 'UNKNOWN'}`
+}
+
+function getRequester(authInfo) {
+    let requester = '-';
+    if (authInfo) {
+        if (authInfo.isRequesterPublicUser && authInfo.isRequesterPublicUser()) {
+            return requester; // Unauthenticated requests
+        } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
+            // IAM user: include IAM user name and account
+            const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';
+            const accountName = authInfo.getAccountDisplayName ? authInfo.getAccountDisplayName() : '';
+            return iamUserName && accountName ? `${iamUserName}:${accountName}` : authInfo.getCanonicalID();
+        } else if (authInfo.getCanonicalID) {
+            // Regular user: canonical user ID
+            return authInfo.getCanonicalID();
+        }
+    }
+    return requester;
+}
+
+function getURI(request) {
+    let requestURI = '-';
+    if (request) {
+        const method = request.method || 'UNKNOWN';
+        const url = request.url || request.originalUrl || '/';
+        const httpVersion = request.httpVersion || '1.1';
+        requestURI = `${method} ${url} HTTP/${httpVersion}`;
+    }
+    return requestURI;
+}
+
+function getObjectSize(request) {
+    const objectSizeMethods = Object.freeze({
+        'objectPut': true,
+        'objectPutPart': true,
+        'objectGet': true,
+    });
+
+    if (request && objectSizeMethods[request.apiMethod]) {
+        const len = request.getHeader('Content-Length');
+        return len ? len : '-';
+    }
+
+    return '-';
+}
+
+function getBytesSent(res) {
+    if (!res) {
+        return '-';
+    }
+    if (res.getHeader('Content-Length')) {
+        return res.getHeader('Content-Length');
+    }
+    return '-';
+}
+
+function logServerAccess(params, req, res) {
+    if (!params.enabled) {
+        return;
+    }
+
+    console.log(params)
+
+    serverAccessLogger.info('SERVER_ACCESS_LOG', {
+        // AWS fields.
+        bucketOwner: params.bucketOwner,
+        bucket: params.bucketName,
+        startTime: params.startTime.toString(),
+        remoteIP: getRemoteIPFromRequest(req),
+        requester: getRequester(params.authInfo),
+        // // requestID: '-', // From wherelogs.
+        operation: getOperation(req),
+        requestURI: getURI(req),
+        HTTPStatus: res.statusCode,
+        errorCode: params.errorCode ? params.errorCode : '-',
+        bytesSent: getBytesSent(res),
+        objectSize: getObjectSize(req),
+        totalTime: (Number(params.endTime - params.startTime) / 1_000_000).toString(),
+        turnAroundTime: (Number(params.endTurnAroundTime - params.startTurnAroundTime) / 1_000_000).toString(),
+        referer: req.headers.referer ? req.headers.referer : '-',
+        userAgent: req.headers['user-agent'] ? req.headers['user-agent'] : '-',
+        versionID: req.query.versionId ? req.query.versionId : '-', // query inserted by arsenal.
+        hostID: '-', // NOT IMPLEMENTED
+        signatureVersion: params.authInfo.getAuthVersion(),
+        cipherSuite: req.socket.encrypted ? req.socket.getCipher()['standardName'] : '-',
+        authenticationType: params.authInfo.getAuthType(),
+        hostHeader: req.headers.host ? req.headers.host : '-',
+        // From https://nodejs.org/api/tls.html#tlssocketgetcipher
+        tlsVersion: req.socket.encrypted ? req.socket.getCipher()['version'] : '-',
+        accessPointARN: '-', // NOT IMPLEMENTED
+        aclRequired: '-', // ???
+        // Scality extra fields.
+        logFormatVersion: '-',
+        loggingEnabled: true,
+        loggingTargetBucket: params.loggingEnabled.TargetBucket,
+        loggingTargetPrefix: params.loggingEnabled.TargetPrefix,
+        raftSessionID: '-',
+        aws_access_key_id: params.authInfo.getAccessKey() ? params.authInfo.getAccessKey() : '-',
+    })
+}
+
+module.exports = {
+    logServerAccess,
+};