[
https://issues.apache.org/jira/browse/GUACAMOLE-2047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17938780#comment-17938780
]
Rik Giles commented on GUACAMOLE-2047:
--------------------------------------
I have written the attached PoC ([^ConnectionLogger.java]) which is working in
my environment. With additional timestamp modifications to logback.xml the
output looks as shown below.
{code:java}
2025-03-26T10:22:17.348+01:00 [https-openssl-nio-8443-exec-1] INFO
o.a.g.s.event.ConnectionLogger - event=open_tunnel,
uuid=2cf5c723-499d-35a9-83a0-4fd8b5dc5697, protocol=ssh, sourceUser=rikochet,
sourceAddr=[redacted public IP], destinationUser=rikochet@domain.local,
destinationAddr=172.22.16.123 {code}
If I submit a pull request on Github to add a new extension
`guacamole-client/extensions/guacamole-connection-logger` is this likely to get
accepted?
> Enhance logging for security monitoring
> ---------------------------------------
>
> Key: GUACAMOLE-2047
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2047
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
> Reporter: Rik Giles
> Priority: Trivial
> Attachments: ConnectionLogger.java
>
>
> The default logging implementation of Guacamole client does not record
> sufficient information for security monitoring.
> Adding the following telemetry would enable security engineers to create
> detection rules in SIEMs to generate alerts for suspicious behavior:
> * Event (open/close connection)
> * Source IP address (X-FORWARDED-FOR)
> * Source Username (from Guacamole session)
> * Destination IP address (of connection object)
> * Destination Username (used to authenticate with connection object)
> * Protocol (SSH/VNC/RDP)
>
> This proposed feature can be achieved through the use of
> `org.apache.guacamole.net.event.TunnelConnectEvent` and can be implemented as
> an optional extension (as per guacamole-auth-ldap, guacamole-vault etc.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
