Hi, so i want add a bit of security to my strapi backend.
I found there is this Logging | Strapi Documentation
But also can’t seems to figure out how to make it work i though i need to add this stuff to .env, but then i found /config folder with server.js in it witch seems to be also quite nice candidate…
Anyways the question is, i added to .env:
STRAPI_LOG_LEVEL=debug
STRAPI_LOG_TIMESTAMP=true
STRAPI_LOG_PRETTY_PRINT=true
STRAPI_LOG_FORCE_COLOR=true
But can’t seems to find where log file is…
Hi @antokhio great idea with fail2ban, however Strapi doesn’t log to a file (we have no built in method to do so) and it’s dumped to stdout aka the terminal so you will need some kind of service application to run Strapi and dump the logs into files.
The best option I’m aware of is pm2 which by default dumps them to ~/.pm2/logs/*
pm2:
-l --log [path] specify filepath to output both out and error logs
-o --output <path> specify out log file
-e --error <path> specify error log file
Without pm2 you can also pipe your stdout/stderr
node-command 2>&1 >> [/dev/null | your logfile]
all right so log going fine, but there is no info on host that was rejected, like it sends 400 but no clue to who was it
[2020-10-15T16:29:01.739Z] [2020-10-15t16:29:01.739z] debug POST /admin/login (24 ms) 400
[2020-10-15T16:29:03.222Z] [2020-10-15t16:29:03.222z] debug POST /admin/login (13 ms) 400
what bothers me should’t it be 403 or 404 and also i need to get an IP address from it
You will probably want to build out a custom middleware for this, on one of my personal projects I’m using sentry to gather this information.