How to investigate ssh deploy key usage? Are there any useful logs?

Hi,

I need to investigate which projects have been cloned with a certain deploy-key, or, if that’s not possible, at least from which IPs this deploy key was used.

I tried to google and search this forum to no avail. What I found is the gitlab-shell.log (/var/log/gitlab/gitlab-shell/gitlab-shell.log) which is pretty useless, unfortunately. It logs something but it doesn’t even tell what was done (to be fair, it says “executing git command”. yeah, cool, thanks.) not to speak of deploy key usage or at least the IP.

Are there any logs that can help me? Grepping the logs for the deploy key’s name did not help as well…

Thanks for taking the time for answering my request, it really helps! :blush:

Hi,

maybe this can be achieved with Audit Events. I am not sure about specific key tracking though - if it does not exist, please create a feature request.

Cheers,
Michael

1 Like

Ok, so it’s not possible right now for the past as I am currently on the CE?

Of course one needs to have a subscription for a fancy GUI with great filters, cross references and all the bells and whistles but for some basic logging of who authenticates? Wow.

Hi,

I did a quick research myself yesterday, maybe there are other options available which may help. Or it is generally a missing feature to log these events if they are not visible in the logs. The best possible way to find out would be to create a feature request issue and kindly ask our engineers :slight_smile:

Cheers,
Michael

1 Like

Thanks for looking into this.
I followed your advice and opened an issue: https://gitlab.com/gitlab-org/gitlab/-/issues/228615

1 Like

This issue has been solved by @stanhu, so there will be more information in the log to investigate future incidents. Thank you.