expand logging to get authentik crowdsec ready

[cuthulino]

Is your feature request related to a problem? Please describe. I am using CrowdSec for securing my exposed services.
Authentik as my auth service is therfore exposed aswell.
The actual logging behavior misses some information to use it with crowdsec to parse it.

At the moment an invalid login attempt look like this:

{"auth_via": "unauthenticated", "event": "invalid_login", "host": "auth.domain.de", "identifier": "username", "level": "info", "logger": "authentik.flows.stage", "pid": 187641, "request_id": "58c23b3a49544bbaa20dde888011a989", "stage": "default-authentication-identification", "stage_view": "authentik.stages.identification.stage.IdentificationStageView", "timestamp": "2022-10-01T20:13:50.435689"}

Describe the solution you'd like To use the logs with crowdsec the remote ip address of the failed login attempt is needed.
For counting and banning.

For better usabillity the logtype should be changed aswell for failed authentikations, from "info" to "warning".
Like this info logs can be hidden and failed auth can be parsed further.

It should look like this:

{"auth_via": "unauthenticated", "event": "invalid_login", "host": "auth.domain.de", "identifier": "username", "level": "warn", "logger": "authentik.flows.stage", "pid": 187641, "remote": "xx.xx.xx.xx" , "request_id": "58c23b3a49544bbaa20dde888011a989", "stage": "default-authentication-identification", "stage_view": "authentik.stages.identification.stage.IdentificationStageView", "timestamp": "2022-10-01T20:13:50.435689"}

[BeryJu]

The default authentik flows do user identification and authentication separately, and the event invalid_login is when an invalid identifier is used to login

The actual log message for invalid credentials is

{
    "action": "login_failed",
    "auth_via": "unauthenticated",
    "client_ip": "::1",
    "context": {
        "http_request": {
            "args": {
                "query": "next=%2F"
            },
            "method": "POST",
            "path": "/api/v3/flows/executor/default-authentication-flow/"
        },
        "password": "********************",
        "stage": {
            "app": "authentik_stages_password",
            "model_name": "passwordstage",
            "name": "default-authentication-password",
            "pk": "c9d44052811748b780bb9f8abdbb6d13"
        },
        "username": "akadmin"
    },
    "event": "Created Event",
    "host": "localhost:9000",
    "level": "info",
    "logger": "authentik.events",
    "pid": 49872,
    "request_id": "6a8494dd1732419093fc16256aa19db6",
    "timestamp": "2022-10-01T22:47:44.899698",
    "user": {
        "email": "",
        "pk": 2,
        "username": "AnonymousUser"
    }
}

[cuthulino]

Thanks for your explanation.

With this information i can write a parser for "login_failed"
It would be great if the "invalid_login" could be parsed aswell to generate a ban (add ip addresses).
With both events crowdsec could check for bruteforce on a specific user's password and bruteforce on usernames.

And what about the log levels? Do i get it right that all of these events are level "info"?
At the moment my logs are full of healthchecks and inbetween there are some other entries.

Can I stop displaying the healthchecks or add the login_ failed and invalid_login to "warn" level?

[sachz19]

The same would be interesting for configuring syslog ouput. I use graylog for logging, and it might be interesting to send authentik application logs. since i'm not a indices, dashboards or streams specialist for graylog, it would be awesome if someone would find the time to make those!

[BeryJu]

The commit above changes the invalid_login message to be similar in structure to the events being logged, so it should be easier to match

For the log levels, thats correct, they're all at info. I'm looking into making that a bit more configurable compared to just a single log level

For a syslog output, thats not really something that should be done by the application imo. Docker itself can send logs to syslog itself

[Typhonragewind]

@cuthulino Any news on the crowdsec integration?

[cuthulino]

Shame on me...
It is on my to do list but I did not start.

[gezuka77]

@cuthulino, I would also love to see an authentik collection :)

[Slopz]

This would be amazing!

[mdallaire]

Just a FYI, someone created a crowdsec collection for Authentik. I did a few tests and it works pretty well so far. It checks for brute force and username enumeration.

https://app.crowdsec.net/hub/author/firix/collections/authentik

[eglia]

Maybe I'm too stupid, but how exactly do I get a log file from authentik for sending to crowdsec?

[sachz19]

Maybe I'm too stupid, but how exactly do I get a log file from authentik for sending to crowdsec?

I also would like to make sure i'm configuring it correctly. I would like to directly read it from docker, the second option in the collection. Is it possible to remove the label part of it and directly let it monitor the authentik_server or do i need to monitor the worker?

[cuthulino]

@mdallaire thanks for that info. The work should not be done multiple times. I close this issue now, It has nothing more to do with authentik.

I just took a look at the collection of firix. It looks good to me. Installed it already.

@eglia and @sachz19 Configuration depends on you setup. You just need to add the collection to crowdsec with cscli collections install firix/authentik and edit your acquis.yaml file.

1. Crowdsec Agent and Docker with Authentik on the same machine: Just add the lines from the crowdsec hub page and change the container name to the one you use:

   ---
   source: docker
   container_name:
   - authentik
   labels:
    type: authentik

   Crowdsec will read the logs from docker

2. Crowdsec and Authentik are running on different machines (I found this way the easiest): Add a syslog Server to your crowdsec agent like this:

   ---
   source: syslog
   listen_addr: <ip>
   listen_port: <port>
   labels:
    type: syslog

   And let docker send the logs of authentik-server to the syslog server with this config in your docker-compose of authentik:

      logging:
        driver: "syslog"
        options:
          syslog-address: "udp://1.2.3.4:567"
          syslog-format: "rfc3164"
          tag: "authentik"

[smdion]

Sorry to add to a closed issue, but I'm adding an additional configuration option for those who are using Authentik and Crowdsec on different hosts and find this post via google. Mine is across a wireguard VPN and was having issues with the UDP traffic of the syslog server (I think).

I was able to setup docker-socket-proxy container (tecnativa/docker-socket-proxy) on the same host as my authentik container and connect to the docker socket over TCP from the host with crowdsec.

This is what I added to acquis.yaml

---
source: docker
container_name:
 - authentik
labels:
  type: authentik
docker_host: tcp://1.2.3.4:2375