search

itiligent / Guacamole-Installer

Automated install of Gucamole with options for HTTPS reverse proxy, Active Directory integration, MFA, LetsEncrypt, dark theme, MySQL backup, email alerts & more.
GNU Affero General Public License v3.0
240 stars 44 forks source link

Can´t create the necessary guacamole.log for Crowdsec #43

Closed Crash1602 closed 2 months ago

Crash1602 commented 2 months ago

Hello,

I’m not sure if this is the right place for my question or problem, but I would like to describe it. Maybe some of you also use this repo with Crowdsec.

I have been using this wonderful Guacamole installer for a while and am very satisfied. Now I also want to protect my Guacamole with Crowdsec. Unfortunately, I can’t get the necessary log to be created.

Guacamole runs on a Debian 12 (minimal installation) machine.

The instructions for the Crowdsec parser are on the following: https://app.crowdsec.net/hub/author/corvese/configurations/apache-guacamole-logs

logback.xml

I created the file in the path /etc/guacamole/logback.xml with the following content:

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

    <!-- Default appender -->
    <appender name="GUAC-DEFAULT" class="ch.qos.logback.core.FileAppender">
        <file>/var/log/guacamole.log</file>
        <encoder>
            <pattern>%date{"yyyy-MM-dd'T'HH:mm:ss,SSSXXX", UTC} [%thread] %-5level %logger{36} - %msg%n</pattern>
        </encoder>
    </appender>

    <!-- Log at INFO level -->
    <root level="WARN">
        <appender-ref ref="GUAC-DEFAULT" />
    </root>

</configuration>

and also already adapted the existing logback.xml in the path /var/lib/tomcat9/webapps/guacamole/WEB-INF/classes/logback.xml identically.

I do not receive the appropriate apache-guacamole.log, which is necessary for the Crowdsec Parser.

At what point do I need to change something so that the appropriate log is created?

Thanks for you help!

itiligent commented 2 months ago

Hi, Im glad you find the scripts useful.

I'm not familiar with Crowdsec but I understand what you want to acheive. To start with I guess the first things to look at that I know may impact logging directly are:

  1. Debian 12 no loger uses syslog - you need jounalctl or to re-add syslog components
    EDIT: Test on Debian 11 to confirm if your crowsec code works, I'm not sure of Crowsec's prequisities there

  2. Permissions might also be an issue (the scripts set guac to run as as somtting like daemon:tomcat and therefore you cannot authenicate interactively - this is by design and might be impacting how Crowsec interacts with guac logs.

  3. If you are using a reverese proxy, there are settings in the 3-install-nginx.sh script than manipulate Apache log files to pass though the client 'sIP real ip to guacamole logs, not the proxy ip - this might also mess you up. Search for "valve" in 3-install-nginx.sh and in /etc/tomcat9/server.xml to get your bearing with that - maybe remove this extra valve code from the serverl.xml to test.

  4. From memory, if you are not using nginx the script default install sets a redirect on apache to send the root url http://domain:8080 to http://domain:8080/guacamole (I tire of tpying the extra directory!) This redirect messes with the dfault webapps config in apache - so that might also be something to look at.

itiligent commented 2 months ago

Closing this as no further info provided and likely not a Guacamole issue.

Crash1602 commented 2 months ago

Hi itiligent,

thank you very much for your response! Please excuse my late reply, I had overlooked the email about a new comment and hadn’t checked back to see if there was anything new. Thank you very much for the suggestions for a solution; I will take a look at them and try to get it done.