16 Replies Latest reply: Feb 9, 2010 7:03 AM by CarphuntinGod RSS

    Reading Log Files

    CarphuntinGod Community Member

      After yesterday's fiasco and authentication hole plugging, I have two questions.

       

      First, in our Access log, i can see where our FMLE start and stop live publishing  (i see publish and unpublish in the logs).  Now, my logs might not be long enough...but whoever bounced their feed through our server...I don't see publish/unpublish entries in the log.   Do some encoders pump VOD through the flash server in such a way that they aren't marked as publish/unpublish?  What can I look for in the logs for these encoders?

       

       

      Second, in my thread yesterday, I asked where I would see authentication granted/denied entries in the logs.  I don't know if it logs by default, and where... or if I have to add something to logger.xml.  Anyone know?

        • 1. Re: Reading Log Files
          Janaki Lakshmikanthan Employee Hosts

          Same here, check whether you have enabled 'publish' and 'unpublish' events for access log using Logger.xml. Otherwise FMS logs all the events in access log that are enabled in Logger.xml.

           

          Regards,

          Janaki L

          • 2. Re: Reading Log Files
            CarphuntinGod Community Member

            I've found that while all other logs are appearing in the "logs" directory on my FMIS server... I have none of the authEvent logs.   the logger xml section looks ok... but there are no logs.

             

            I'm searching the entire system to see if they're going somewhere weird... but it really looks like they're just not being created.

            • 3. Re: Reading Log Files
              Janaki Lakshmikanthan Employee Hosts

              authEvent logs will be created only if you have authorization plugin installed in the FMS. Also check if you get authMessage log which

              will give you more details on loading the authorization plugin. If you have any problem with the auth plugin, authMessage log will have statements related to that.

               

              Regards,

              Janaki L

              • 4. Re: Reading Log Files
                CarphuntinGod Community Member

                I believe I have the authorization plugin installed.  I've installed the authenticator listed on this page with FMLE materials https://www.adobe.com/cfusion/entitlement/index.cfm?e=fmle3.  I've set up users, and now FMLE clients do have to enter name/pass to connect.

                 

                No authevent authmessage logs are appearing.

                • 5. Re: Reading Log Files
                  CarphuntinGod Community Member

                  adding to this... looking at my logger.xml, authEvents, authMessage, and fileMessage logs should all be generated, but none of these appear in the logs directory.  Also missing are the authEvents.rot, authMessage.rot, etc files.

                   

                  I'm uncertain where to look to see why none of these files are being created/triggerd by FMIS.

                  • 6. Re: Reading Log Files
                    Janaki Lakshmikanthan Employee Hosts

                    Got the issue now... You dont have Authorization plug-in (c++), you have FMLE Authentication plug-in right? I was talking about Authorization plugin which generates authEvent and message log files.

                     

                    Regards,

                    Janaki L

                    • 7. Re: Reading Log Files
                      vgokhale

                      Hi,

                       

                            The events publish and unpublish should be enabled in logger.xml for the events to be logged in access.00.log when ever FMLE client publishes/unpublishes the stream. You can enable these events in tag Logger ->Access->Events for events to be logged in access log. By default these events are not enabled in logger.xml.

                       

                      Regarding your second query about authentication: The uses that fail authentication process from FMLE will log a connect event in access log with status code 403 indicating the connection was rejected due to authorization.

                      For more clarification from logs you can enable c-user-agent and c-referrer fields in the logger.xml(Logger ->Access->Fields) for access logs.

                       

                      Thanks

                            Viraj

                      • 8. Re: Reading Log Files
                        CarphuntinGod Community Member

                        Ok... where do I find the authentication plugin?


                        • 9. Re: Reading Log Files
                          CarphuntinGod Community Member

                          Ok, I'll scan for the 403 codes (I think I already turned on the features you suggested as I was trying to get as much info out of the thing as possible).

                           

                          Now... dumb question.  I know when the FMLE's connect, I see publish/unpublish messages. Can any other encoder engines that could talk to the FMIS run streams without generating these messages?  Can they get around the FMLE authenticator plugin?

                          • 10. Re: Reading Log Files
                            Janaki Lakshmikanthan Employee Hosts

                            In FMS if you have enabled publish/unpublish events in log files, then it is logged for any clients who perform this operation with that FMS. It cannot discard the events for specific clients. FMLE Authentication addIn applies for FMLE. Other publishers can publish without authenticating it.

                            I hope this helps.

                             

                            Regards,

                            Janaki L

                            • 11. Re: Reading Log Files
                              CarphuntinGod Community Member

                              Thanks... that helps.  It lets me know we probably are still susceptible to unwanted streams.

                              • 12. Re: Reading Log Files
                                CarphuntinGod Community Member

                                I checked our logs, and found these entries.  A remote viewing site is calling a channel that we don't have on our site... I can't find anything in the logs that looks like a "publish" for this thing... so I can't tell what might have been passed through us.

                                 


                                #Fields: date    time    x-category    x-event    x-status    x-sname    x-pid    c-ip    cs-bytes    sc-bytes    sc-stream-bytes    x-file-size    x-file-length    c-user-agent    c-referrer    c-proto    x-comment

                                 

                                2010-02-07    00:15:58    session    connect    200    -    4540    24.130.211.56    3073    3073    -    -    -    WIN 10,0,22,87    http://nadorlive.com/swf/hd.swf    rtmp    -

                                 

                                2010-02-07    00:15:59    stream    play    200    netherlandschannel    4540    24.130.211.56    3136    3451    0    -    -    WIN 10,0,22,87    http://nadorlive.com/swf/hd.swf    rtmp    -

                                 

                                2010-02-07    00:16:22    stream    stop    408    netherlandschannel    4540    24.130.211.56    3170    3915    374    -    -    WIN 10,0,22,87    http://nadorlive.com/swf/hd.swf    rtmp    -

                                 

                                The nadorlive site looks like another tv viewer site (same sort of thing that hit us before).

                                • 13. Re: Reading Log Files
                                  Janaki Lakshmikanthan Employee Hosts

                                  From the log entry which you have provided, this client is not publishing the data. It is playing your stream. If this is not your right client and wanted to block such client... you have few things to follow to protect your server from streaming to unwanted clients.

                                   

                                  You can use "authorization plugin" to authenticate your clients or use "SWF verification" feature, if you dont want to add authentication code at your server side application.

                                   

                                  Regards,

                                  Janaki L

                                  • 14. Re: Reading Log Files
                                    CarphuntinGod Community Member

                                    I know this is not a publisher.

                                     

                                    The disturbing thing is, if I'm reading the status codes correctly, there was no failure saying we don't have this stream.

                                     

                                    I've examined the logs and looked through our server... this stream doesn't exist on our site.

                                     

                                    What I believe is happening is that someone is pumping a stream through us, and clients are picking it up from us.  When I mention I couldn't find a publish event... I meant if they are picking up a stream via us...I should see it being published somewhere.  To this point, I haven't found anything but our known streams.

                                     

                                    the nadoronline.com looks to be an aggregator like the first site we found pumping out television streams.

                                     

                                    No one has said yet how to activate the authenticator plugin (other than the FMLE one we've already installed).  We'll have to eyeball swf verification to see what what's involved for all the developed apps we've already deployed.

                                     

                                    I'm also going to have to check to see how many more UW system servers are being abused this way and see if we don't need to go another route with our streaming video implementations.

                                    • 15. Re: Reading Log Files
                                      sansqu Community Member

                                      Flash Media Interactive Server and Flash Media Development Server provide a plug‑in architecture written in C++. With the installation of these server , you will get sample access, authoriazation plugins. You can customize these as per your need.

                                      For more info, please go through the live docs here http://help.adobe.com/en_US/FlashMediaServer/3.5_Plugin/

                                      • 16. Re: Reading Log Files
                                        CarphuntinGod Community Member

                                        man... this is getting way above my pay grade.... they need a checkbox to turn on authentication