Docker guacamole/guacamole | Collection corvese/apache-guacamole | Parsing stdout does not work

[Crash1602]

Hello everyone,

I have previously installed and operated my Guacamole installation directly on Debian. Unfortunately, despite extensive research (for me), it was not possible to generate the necessary logs for the collection to be applied.

Now I run my Guacamole installation as a Docker Compose stack. The Guacamole client delivers the necessary information for the collection in the Docker standard output, but unfortunately, the log structure differs from the normal one.

At least my test string fails:

cscli explain --log '07:27:04.499 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [98.225.139.30, 172.30.0.4] for user "test" failed.' --type apache-guacamole -v

Stdout Docker:

07:25:56.900 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [98.225.139.30, 172.30.0.4] for user "guacauth" failed.
07:26:04.835 [http-nio-8080-exec-10] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [98.225.139.30, 172.30.0.4].
07:26:20.051 [http-nio-8080-exec-1] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [98.225.139.30, fd30:0:0:0:0:0:0:5].
07:26:58.210 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [98.225.139.30, 172.30.0.4] for user "guacauth" failed.
07:27:04.499 [http-nio-8080-exec-1] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [98.225.139.30, 172.30.0.4] for user "test" failed.

If IPv6 entries are also needed, I will try to provide them later.

I have directly integrated the Docker container into the CrowdSec of the Docker host.

source: docker
container_name:
 - guacamole-client-prod 
labels:
  type: apache-guacamole

It would be great if there were a custom collection or parser for the Docker variant.

Thank you!

cscli_explain.txt

[LaurenceJJones]

Hey 👋🏻

From what I can see from the parser and the logs you have given the only section that I would say is failing to parse is we expect a timestamp 8601 format, and this is just showing a time and no date.

Is there a way to control this format or should we update the parser to expect both?

[Crash1602]

Hey @LaurenceJJones ,

thanks for your answer. I haven't found any documented option to adjust the timestamp using an environment variable. If it works and both are expected and accepted, that would certainly be a simple and great solution!

Thank you!

1. Guacamole-Client: https://hub.docker.com/r/guacamole/guacamole
2. Compose-Example: https://github.com/boschkundendienst/guacamole-docker-compose

[Crash1602]

Hey @LaurenceJJones ,

I wish you a happy new Year! Is there an update on the extended acceptance of the date format?

[Crash1602]

...should we update the parser to expect both?

Hey @LaurenceJJones ,

I would like to inquire if there are any updates on this topic? Thanks.

[LaurenceJJones]

I create the PR, however, its kind of flakky did you happen to stumble upon these instructions left by the original contributor that describes how to add the correct timestamp?

https://app.crowdsec.net/hub/author/corvese/log-parsers/apache-guacamole-logs

Yes its not via an environment variable but I guess you can expose the configuration to disk to make these changes.

[Crash1602]

Thank you for your answer.

I looked at the description again because of your hint and I have to admit that I had forgotten the part about Docker. I tested the logback information directly on Debian when I installed Guac and unfortunately it didn't work. I have just implemented the hint for Docker and it actually works with the first logback example (without creating a file)!

I'm sorry for the trouble, but I think that the improvement regarding the acceptance of both timestamps is a good idea because it means the log can be parsed without any extra configuration. Sometimes the solution is right in front of you and you can't see it (:
Many thanks for your support.

My Log with the customized Logback.xml:

2025-02-03T13:12:15,135Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:16,446Z [http-nio-8080-exec-5] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:17,831Z [http-nio-8080-exec-7] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.
2025-02-03T13:12:19,251Z [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:20,514Z [http-nio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.
2025-02-03T13:12:22,067Z [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.

[LaurenceJJones]

Thank you for your answer.

I looked at the description again because of your hint and I have to admit that I had forgotten the part about Docker. I tested the logback information directly on Debian when I installed Guac and unfortunately it didn't work. I have just implemented the hint for Docker and it actually works with the first logback example (without creating a file)!

I'm sorry for the trouble, but I think that the improvement regarding the acceptance of both timestamps is a good idea because it means the log can be parsed without any extra configuration. Sometimes the solution is right in front of you and you can't see it (: Many thanks for your support.

My Log with the customized Logback.xml:

2025-02-03T13:12:15,135Z [http-nio-8080-exec-4] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:16,446Z [http-nio-8080-exec-5] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:17,831Z [http-nio-8080-exec-7] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.
2025-02-03T13:12:19,251Z [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, 172.30.0.250] for user "Test" failed.
2025-02-03T13:12:20,514Z [http-nio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.
2025-02-03T13:12:22,067Z [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [123.123.123.123, fd30:0:0:0:0:0:0:250] for user "Test" failed.

It can be done, however, there is two pitfalls:

• using cold log mode will result in potential false positives due to all timestamps being read on the same day.
• our testing framework like to know the date 😆 it causes more overhead for us as you can see by my changes I had to edit the test files by hand.

So it will be great for UX as they install and it seamlessly works, but these two tradeoffs can bite us in the ass for later. So what I will do is ask the team for their opinions as I dont want to take my bias in there and see what they say.

[Crash1602]

What have I just triggered 🙈 Thank you for the work you do.