How can I monitor the user requesting content from Nexus Repository 2?

Visit my.sonatype.com for documentation on Nexus Repository version 2.

Nexus Repository 2.8+

  1. As the admin user, go to Administration -> Logging -> Loggers
  2. Click Add to enter a new Logger name. Enter org.eclipse.jetty.server.Server . Set the level to DEBUG and Save.
  3. Click Add to enter a new Logger Name. Enter org.sonatype.security.internal.UserIdMdcHelper . Set the level to TRACE and Save.

Now all subsequent requests will print log lines in nexus.log describing request, response and the authenticated user name that the request was made as. Example single request/response using the admin user:

2014-06-03 20:48:57,638-0300 DEBUG [qtp1151354962-114]  org.eclipse.jetty.server.Server - REQUEST /nexus/service/siesta/logging/loggers on AsyncHttpConnection@56c3c50a,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-5,l=10,c=0},r=25
2014-06-03 20:48:57,639-0300 TRACE [qtp1151354962-114]  org.sonatype.security.internal.UserIdMdcHelper - Set: admin
2014-06-03 20:48:57,642-0300 DEBUG [qtp1151354962-114]  org.eclipse.jetty.server.Server - RESPONSE /nexus/service/siesta/logging/loggers  200 handled=true 

Nexus Repository 2.6+

There are still a few edge cases [NEXUS-6344] where a log message may include an unrelated user name as part of the log pattern. This is a logging error and does not constitute a security escalation. We continue to track and fix these misleading messages.

In some cases [NEXUS-5753], Nexus Repository 2.5 printed an incorrect userid in log messages if the executing thread was not a Jetty 'qtp' thread. We improved this problem so that each spawned thread should have the correct context of the user that launched the thread.

Nexus Repository 2.5

Starting with Nexus Repository 2.5, you can see the userid of the user requesting content from Nexus Repository by looking in the nexus.log files.

If using Nexus Repository 2.5 or greater, edit sonatype-work/nexus/conf/logback-nexus.xml and add

<logger name="org.sonatype.nexus.web.NexusRestletServlet" level="DEBUG" /> 

You should then see lines like this, where 'admin' is the user name of the user in this case:

2013-06-03 16:38:36 DEBUG [qtp1509640694-74] admin org.sonatype.nexus.web.NexusRestletServlet - Processing: HEAD /nexus/content/groups/public/junit/junit/4.11/junit-4.11.jar (http://localhost:8082/nexus/content/groups/public/junit/junit/4.11/junit-4.11.jar)

Note: Due to a bug [NEXUS-5753] in Nexus Repository 2.5, only threads from Jetty's thread pool, starting with 'qtp', should be trusted to print the correct userid. All other threads which print a userid could be showing an incorrect userid. Nexus 2.6 fixes this.

Nexus Repository 2.0-2.4

In earlier versions of Nexus Repository 2, you can see the userid of the user and the path they are requesting by looking in the nexus.log files, after making some logging adjustments.

Edit sonatype-work/nexus/conf/logback-nexus.xml , adding:

<logger name="org.eclipse.jetty.server.AbstractHttpConnection" level="DEBUG" />
<logger name="org.apache.shiro.realm.AuthenticatingRealm" level="DEBUG" />

Also, edit the section:

 <appender name="logfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${appender.file}</File>
<Append>true</Append>
<encoder>
<pattern>${appender.pattern}</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${appender.file}.%d{yyyy-MM-dd}.gz</fileNamePattern>
</rollingPolicy>
</appender>

to 

<appender name="logfile" class="ch.qos.logback.core.rolling.RollingFileAppender">
<File>${appender.file}</File>
<Append>true</Append>
<encoder>
<pattern>%4d{yyyy-MM-dd HH:mm:ss} %-5p [%thread] %c - %m%n</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${appender.file}.%d{yyyy-MM-dd}.gz</fileNamePattern>
</rollingPolicy>
</appender>

Note: This second change will prevent Nexus Repository 2 from picking up future appender pattern changes from logback.properties should you upgrade. Also the relative request path will now be printed as part of the Jetty thread id.

The result is you should see log lines similar to this in nexus.log:

2013-06-03 17:03:58 DEBUG [qtp2123009988-75 - /nexus/content/groups/public/junit/junit/maven-metadata.xml.sha1]  org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [admin] from doGetAuthenticationInfo
Have more questions? Submit a request

0 Comments

Article is closed for comments.