Add/improve authentication logs

[2tefan]

What would you like to add or change?

Hi!

We would like to see authentication logs for ntopng.
In the newest packaged version of ntopng 6.3.250214 you can already (kinda) see authentication logs when users try to log in via LDAP when the LDAP debug option is set:

Failed login:

14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:464] Attemping auth connection to LDAP server ldaps://10.0.0.1:636 using password ****
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:493] LDAP lookup in OU=Testing,DC=test with filter samaccountname=my_username
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:519] Attribute: cn Value: my_username
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:519] Attribute: sn Value: also_mostly_my_username
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:519] Attribute: distinguishedName Value: CN=my_username,OU=Testing,DC=test
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:519] Attribute: memberOf Value: CN=ntopng_admins,OU=groups,DC=test
14/Feb/2025 08:30:37 [LdapAuthenticator.cpp:573] ERROR: Could not bind to distinguishedName/dn/sn attribute

And when the login is successful, the error message is basically omitted:

14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:464] Attemping auth connection to LDAP server ldaps://10.0.0.1:636 using password ****
14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:493] LDAP lookup in OU=Testing,DC=test with filter samaccountname=my_username
14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:519] Attribute: cn Value: my_username
14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:519] Attribute: sn Value: also_mostly_my_username
14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:519] Attribute: distinguishedName Value: CN=my_username,OU=Testing,DC=test
14/Feb/2025 08:31:15 [LdapAuthenticator.cpp:519] Attribute: memberOf Value: CN=ntopng_admins,OU=groups,DC=test

But this currently just seems to work for LDAP. When trying to log in with a local user, you'll get no logs at all. And when the password for the local user is wrong, it tries to query the LDAP server and fails:

14/Feb/2025 08:54:06 [LdapAuthenticator.cpp:464] Attemping auth connection to LDAP server ldaps://10.0.0.1:636 using password ****
14/Feb/2025 08:54:06 [LdapAuthenticator.cpp:493] LDAP lookup in OU=Testing,DC=test with filter samaccountname=not_my_username
14/Feb/2025 08:54:06 [LdapAuthenticator.cpp:577] no matching memberOf attribute found for any privileged/unprivileged group

What do I want?

It would be nice to have logs that are more clear and work for every type of authentication. So for example, when trying to log in via LDAP or a local user:

14/Feb/2025 08:54:55 [LdapAuthenticator.cpp:xxx] Successful login from <my_user> via LDAP from IP <w.x.y.z>
14/Feb/2025 08:55:10 [LdapAuthenticator.cpp:xxx] Successful login from <my_user> via local authentication from <w.x.y.z>

And if the login fails to have a statement like

14/Feb/2025 08:58:55 [LdapAuthenticator.cpp:xxx] Failed login from <my_user> (tried local authentication & LDAP) from IP <w.x.y.z>

Why do you and others need this?

We would need this for security reasons :)

[cardigliano]

Please note user login activities are also logged using alerts. You can find them under Alerts -> Explorer -> User. Thus another option is to extend those alerts with missing information, if any, and still keep the system logs for debugging only. What do you think?

[cardigliano]

Example:

[2tefan]

Yeah, that would also be fine :)