Guacamole is a great HTML5 VPN gateway. It allows me to access internal applications without having to install any software. I wrote about it briefly in this article. It wasn’t until I noticed that my Splunk indexer reported warnings that I had exceeded my 500MB quota (the free license maximum amount) that I realized that guacamole has a verbosity problem.
In examining the logs it appears that Guacamole passes about 6 HTTP requests per second while you’re using it. This problem is magnified if you have guacamole sitting behind an apache server, as each request is logged twice – once in Apache access logs, and again in Tomcat access logs.
Since I already have that same information in apache access logs and I don’t allow access directly to Tomcat, I set out to disable Tomcat logging completely. Things have changed between versions so it got a little confusing.
To disable logging in Tomcat 7, you have to edit /etc/tomcat7/server.xml (that’s where it lives in Ubuntu Server 14.04 anyway) and comment out a section (thanks to Stack Overflow for helping me figure this out.)
vim /etc/tomcat7/server.xml
Find this line:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/>
Comment out the line like this:
<!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" resolveHosts="false"/> -->
Save the file and restart Tomcat.
:wq service tomcat7 restart
No more duplicate logging.
Nicholas,
Which logs are you sending to splunk to monitor guacamole? Are you still having problems reaching the 500MB limit?
-Sam
I am just having it monitor /var/log. My problems went away after squelching tomcat logs, although if guacamole is used extensively it does still create a lot of log data. I’ve since learned that Splunk offers a free 6 month developer license which gives you 10GB a day, and once the six months is up you can simply request another. That is what I am doing currently so I don’t have to worry about the 500MB anymore 🙂