You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by mniehren <mi...@niehren.de> on 2017/12/14 14:56:39 UTC

report of activities on the server

Hi together,

i want to create a report, which user was conneted to the guacamole-server
and how long.

In the log of guacd i found entries of the form
  User "@e51b35cd-32f8-4474-8f32-25a848ae201e" joined connection
"$971f2e6b-eac1-4386-bcd1-2879b7022ba8"
and
  User "@e51b35cd-32f8-4474-8f32-25a848ae201e" disconnected 

but how can i find out which Login-Name belongs to the user and which
session name belongs
to the connection ?

maybe someone can help
  Michael




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: report of activities on the server

Posted by Michael Niehren <mi...@niehren.de>.

Hi Mike,

with the "easy change" and watching the 2 log files, it would be possible to
see, which user is currently online, which session he uses and accounting of
all sessions for the users. I also got the connection to the pid of the guacd
process, so i can kill his session. All that without using the Admin-Account.

That would be great. I don't think that we need the protocol changes, the only
benefit, i currently see, that all informations would be in 1 Log-File and not
in 2. What do you think about it ?

So could you please integrate the "easy changes", and the logging of the identifier
for each connection-specific message, that would be great.
The "easy changes" has to be in the client, right ?

One thing left in my mind. If a user has connected to jetty/tomcat with his
credentials, but has not start a session yet, how can i kick it off. I try
to set the disable flag in the db, but that only affect's new login tries
not the current login. Maybe you also know a solution for that.

best regards
   Michael

Am 23.12.2017 um 21:40 schrieb Mike Jumper:
> On Fri, Dec 22, 2017 at 3:51 PM, mniehren <michael@niehren.de <ma...@niehren.de>> wrote:
>
>     Hi Erik,
>
>     i tried out jetty and tomcat but in the log of both, i found the real
>     username
>     and the connection name, not more .
>
>     In the guacd.log i only have the encrypted ones.
>
>
> guacd has no concept of user accounts. The values you're seeing in guacd's logs are not encrypted 
> usernames, but unique identifiers generated upon connecting to identify the current connection 
> (such that it can be joined) and to identify the logical user accessing that connection (to 
> distinguish them from other usages of the same connection).
>
>     Is there a possiblity that either jetty/tomcat logs the encrypted username
>     or the pid of the guacd-process which handles the connection or that
>     guacd logs the real username and/or connection name ?
>
>
> Logging the unique identifier of the guacd connection would be an easy change, and would allow 
> some degree of correlation there. Though guacd already logs the connection identifier once per 
> connection, logging it for each connection-specific message would probably be a good idea, as well.
>
> Exposing the unique identifier of the logical user would require protocol and API changes, but may 
> be reasonable.
>
> Providing some means for the webapp to assign an arbitrary informational tag to be included in log 
> messages (like the username and unique value to allow things to be correlated on a 1-to-1 basis) 
> might also be reasonable, but would also require protocol and API changes.
>
> - Mike
>

-- 
Michael Niehren              __   _       powered by
                             / /  (_)__  __ ____  __
                            / /__/ / _ \/ // /\ \/ /
                           /____/_/_//_/\_,_/ /_/\_\

Re: report of activities on the server

Posted by Mike Jumper <mi...@guac-dev.org>.

On Fri, Dec 22, 2017 at 3:51 PM, mniehren <mi...@niehren.de> wrote:

> Hi Erik,
>
> i tried out jetty and tomcat but in the log of both, i found the real
> username
> and the connection name, not more .
>
> In the guacd.log i only have the encrypted ones.
>
>
guacd has no concept of user accounts. The values you're seeing in guacd's
logs are not encrypted usernames, but unique identifiers generated upon
connecting to identify the current connection (such that it can be joined)
and to identify the logical user accessing that connection (to distinguish
them from other usages of the same connection).

Is there a possiblity that either jetty/tomcat logs the encrypted username
> or the pid of the guacd-process which handles the connection or that
> guacd logs the real username and/or connection name ?
>

Logging the unique identifier of the guacd connection would be an easy
change, and would allow some degree of correlation there. Though guacd
already logs the connection identifier once per connection, logging it for
each connection-specific message would probably be a good idea, as well.

Exposing the unique identifier of the logical user would require protocol
and API changes, but may be reasonable.

Providing some means for the webapp to assign an arbitrary informational
tag to be included in log messages (like the username and unique value to
allow things to be correlated on a 1-to-1 basis) might also be reasonable,
but would also require protocol and API changes.

- Mike

Re: report of activities on the server

Posted by mniehren <mi...@niehren.de>.

Hi Erik,

i tried out jetty and tomcat but in the log of both, i found the real
username
and the connection name, not more .

In the guacd.log i only have the encrypted ones.

Is there a possiblity that either jetty/tomcat logs the encrypted username
or the pid of the guacd-process which handles the connection or that
guacd logs the real username and/or connection name ?

i am not familiar in java programming, but maybe it is only a small
change in the guacamole client ...

best regards
  Michael





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

report of activities on the server

Posted by Erik Berndt <er...@superiorpaving.net>.

>it would be unusual indeed for a Tomcat install to store its log files
within its configuration directory

Right you are! No more absent minded phone posting for me.

Michael,
Is this something you would mind sharing if you're successful? I, and I'm
sure others would find this useful.


On Thursday, December 14, 2017, Mike Jumper <mi...@guac-dev.org>
wrote:
> On Thu, Dec 14, 2017 at 8:32 AM, Erik Berndt
> <er...@superiorpaving.net> wrote:
>> Michael,
>>
>> Check the catalina.out log under the /etc/tomcatX directory. That should
>> list the relevant user names and connects/disconnects.
>>
>
> Probably /var/log/tomcat or /var/log/tomcatX. It would be unusual
> indeed for a Tomcat install to store its log files within its
> configuration directory. It's also possible that things may be logged
> to /var/log/messages or journalctl.
>
> If you're using a database with Guacamole, an easier way to generate
> such a report might be to just issue queries against the
> guacamole_connection_history table. It stores exactly the information
> you're looking for:
>
>
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-connection-history
>
> - Mike
>

-- 
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net

Re: report of activities on the server

Posted by Mike Jumper <mi...@guac-dev.org>.

On Thu, Dec 14, 2017 at 8:32 AM, Erik Berndt
<er...@superiorpaving.net> wrote:
> Michael,
>
> Check the catalina.out log under the /etc/tomcatX directory. That should
> list the relevant user names and connects/disconnects.
>

Probably /var/log/tomcat or /var/log/tomcatX. It would be unusual
indeed for a Tomcat install to store its log files within its
configuration directory. It's also possible that things may be logged
to /var/log/messages or journalctl.

If you're using a database with Guacamole, an easier way to generate
such a report might be to just issue queries against the
guacamole_connection_history table. It stores exactly the information
you're looking for:

http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-connection-history

- Mike

Re: report of activities on the server

Posted by Erik Berndt <er...@superiorpaving.net>.

Michael,

Check the catalina.out log under the /etc/tomcatX directory. That should
list the relevant user names and connects/disconnects.

On Thursday, December 14, 2017, mniehren <mi...@niehren.de> wrote:
> Hi together,
>
> i want to create a report, which user was conneted to the guacamole-server
> and how long.
>
> In the log of guacd i found entries of the form
>   User "@e51b35cd-32f8-4474-8f32-25a848ae201e" joined connection
> "$971f2e6b-eac1-4386-bcd1-2879b7022ba8"
> and
>   User "@e51b35cd-32f8-4474-8f32-25a848ae201e" disconnected
>
> but how can i find out which Login-Name belongs to the user and which
> session name belongs
> to the connection ?
>
> maybe someone can help
>   Michael
>
>
>
>
> --
> Sent from:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>

-- 
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net