On Tue, Oct 25, 2022 at 2:54 PM Jonathan Rugther <[email protected]>
wrote:
> When guacamole-auth-sso-saml enabled , is it possible to get an audit log
> file of the ip address or id of the instance a user is trying to connect to?
>
Yes - this is already logged by Guacamole and should show up wherever your
Tomcat install logs its messages. This could be within the systemd journal
(journalctl), somewhere beneath /var/log, in a file called "catalina.out",
etc. The location of the Tomcat logs varies by how Tomcat was installed and
who packaged it.
The source IP addresses of all authentication attempts are logged,
regardless of what auth backend ultimately handles that request. You'll see
messages like the following:
User "foo" successfully authenticated from 1.2.3.4.
Authentication attempt from 1.2.3.4 for user "foo" failed.
After a user has successfully authenticated, the ID of any connection(s)
that an authenticated user attempts to use is logged like:
User "guacadmin" connected to connection "123"
Before switching over to SSO, the tomcat9 logs had a reference to the
> guac_id that we were able to utilize but I don't see anything similar now.
>
What guac_id are you referring to here? It sounds like you might be looking
at the query parameters of requests within Tomcat's access logs, not the
logs of the Guacamole webapp.
- Mike
