Hello, Thank you for your answer. This is something I was expecting.
Can't we expose the user name provided by the client in connection logs? https://github.com/apache/guacamole-server/compare/main...andrejshapal:guacamole-server:main > guacd[1]: INFO: Connection ID is "$8ded5d8c-0631-4613-92f4-aac891581c61" > guacd[18]: INFO: Cursor rendering: local > guacd[18]: INFO: User "@c4724fb7-3605-4fef-8775-35a33de8d029" > ("guacadmin") joined connection "$8ded5d8c-0631-4613-92f4-aac891581c61" (1 > users now present) > guacd[18]: ERROR: Unable to connect to VNC server. > guacd[18]: INFO: User "@c4724fb7-3605-4fef-8775-35a33de8d029" > ("guacadmin") disconnected (0 users remain) > guacd[18]: INFO: Last user of connection > "$8ded5d8c-0631-4613-92f4-aac891581c61" disconnected > guacd[1]: INFO: Connection "$8ded5d8c-0631-4613-92f4-aac891581c61" removed. вт, 28 янв. 2025 г. в 21:47, Nick Couchman <vn...@apache.org>: > > > On Tue, Jan 28, 2025 at 7:56 AM Anakien Skywalker <njuhaand...@gmail.com> > wrote: > >> Hello, >> >> I have checked source code, and found the user id is generated randomly >> using some prefix. >> > > They are random. I do not believe there is any common prefix - it is just > a UUID. > > >> >> This is not so good for audit logs. Maybe someone from guacamole >> maintainers could look into it? >> >> вт, 10 дек. 2024 г. в 23:43, Anakien Skywalker <njuhaand...@gmail.com>: >> >>> Hello, >>> >>> Thank you Peter for such detailed analysis. >>> >>> I would like to add a few comments: >>> >>> Any logging application (promtail, fluentd etc) attaches timestamp >>> without any problem. >>> >>> Timestamp itself can't be the source of truth since when guacamole is >>> used by multiple users at the same time it is impossible to match the >>> events. >>> >>> Internal connections history is nice. But from a security perspective >>> the last source of truth usually is logging. >>> >>> > There is no direct link or mapping between the UUIDs generated for users > and connections in guacd and those used by Guacamole Client - indeed, guacd > has no direct knowledge of the user accounts present in the client. > > There is an open feature request for adding some linkage between > guacd's generated UUIDs and the client; however, nothing has been done on > it, yet: > > https://issues.apache.org/jira/browse/GUACAMOLE-752 > > Finally I'll mention that, if auditing is important to you, you can use > connection recording with the history recording extension to more directly > link sessions between the client and guacd: > > https://guacamole.apache.org/doc/gug/recording-playback.html > > -Nick > >>
