Help with coturn | CrowdSec | Page 1

primal pilot Dec 29, 2024, 6:47 AM

#

Hi I am trying to figure out how to parse coturn logs. I have attached sample logs (please see below), but the documents are a bit too overwhelming for me. Can someone please help?

In the logs, 1.2.3.4 is the IP I am trying to block (it is trying to connect using a wrong credential), I have redacted the real domain name as "mydomain.com" and real user as "useradam". My coturn server's public IP address is shown as 5.6.7.8 in the logs.

warm summitBOT Dec 29, 2024, 6:47 AM

#

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

primal pilot Dec 29, 2024, 6:49 AM

#

This is the log

📎 turnserver_2024-12-28.log

sullen robin Dec 29, 2024, 9:28 AM

#

So just so I can understand the logs, they are multilined and the <number>:: is the session ID tied to the connection? or is it session <long_number> that is the session?

#

cause its a bit difficult from the logs to tie the ip address to the session as it only states the ip address from the session when the ip disconnects.

4969: : session 002000000000000002: realm <mydomain.com> user <>: incoming packet message processed, error 401: Unauthorized
4970: : session 002000000000000002: realm <mydomain.com> user <useradam>: incoming packet message processed, error 401: Unauthorized
4973: : session 002000000000000002: TLS/TCP socket disconnected: 1.2.3.4:10035
4973: : session 002000000000000002: usage: realm=<mydomain.com>, username=<useradam>, rp=2, rb=140, sp=2, sb=184
4973: : session 002000000000000002: peer usage: realm=<mydomain.com>, username=<useradam>, rp=0, rb=0, sp=0, sb=0
4973: : session 002000000000000002: closed (2nd stage), user <useradam> realm <mydomain.com> origin <>, local 5.6.7.8:3478, remote 1.2.3.4:10035, reason: TLS/TCP socket buffer operation error (callback)

so from here we can see session 002000000000000002 gets 2 401 and we only can see the ip address once they disconnect.

primal pilot Dec 29, 2024, 6:36 PM

#

sullen robin So just so I can understand the logs, they are multilined and the `<number>::` i...

I believe session <long_number> is session ID. The initial number seems to be seconds eclipsed from beginning.

#Help with coturn