...

WCS Core logging is handled by the log4j.properties config and a number of settings in flashphoner.properties:

Logging settings in flashphoner.properties

...

This is a standard config of the log4j format.

 Image RemovedImage Added

Settings description

...

To switch client logging off the following should be set in flashphoner.properties file

enable_extended_logging=false

...

client_log_level=INFO

Managing automatic purging of these logs is performed using the settings: keep_extended_logs_max_days, extended_logs_dir_depth, check_extended_logs_interval. By default, It is recommended to use cron in conjuction with find to periodically purge client logs. For example, to check for outdated logs is performed every 24 hours and delete all logs older than 30 days are deleted. To modify client logs storage and deletion rules, edit these settings and restart the WCS server.

Logging level managing "on the fly"

Logging level for certain session may be changed on the go, without server restart. To do this, REST queries are used

REST query should be HTTP/HTTPS POST request such as:

• HTTP: http://test.flashphoner.com:8081/rest-api/logger/enable_client_log
• HTTPS: https://test.flashphoner.com:8444/rest-api/logger/enable_client_log

Here:

...

add the following cron task

0 0 * * * find /usr/local/FlashphonerWebCallServer/logs/client_logs/ -type d -mtime +30 | xargs rm -rf

Logging level managing "on the fly"

Logging level for certain session may be changed on the go, without server restart. To do this, REST queries are used

REST query should be HTTP/HTTPS POST request such as:

• HTTP: http://test.flashphoner.com:8081/rest-api/logger/enable_client_log is REST method used

REST methods and response statuses

...

REST method

...

Example of REST request

...

Example of REST response

...

Response status

...

Description

...

• log
• HTTPS: https://test.flashphoner.com:8444/rest-api/logger/enable_client_log

...

...

Here:

• test.flashphoner.com is WCS server address
• 8081 is WCS standard REST / HTTP port
• 8444 is WCS standard HTTPS port
• rest-api is required URL prefix
• /logger/enable_client_log is REST method used

REST methods and response statuses

{
 "sessionId": "/127.0.0.1:57539/192.168.1.101:8443",
 "logLevel": "DEBUG"
}

{
 "sessionId": "/127.0.0.1:57539/192.168.1.101:8443"
}

...

Logging level changes with REST queries affects only the session specified, but not another sessions including sessions that will be created later.

Using flight recorder

Flight recorder function allows to cyclically write some latest events for stream published. This information may help to diagnose problems with stream publishing without full client debug logs enabling. Flight recorder is enabled with the following parameter in flashphoner.properties file

enable_flight_recorder=true

It is necessary to set events category that will be written (defined by developer)

flight_recorder_categories=WCS1438

The events are written for publisher client to flight_recorder.log file, if stream publishing stops by some error, or stream is corrupted by some way.

...

Enabling debug log for all the client sessions

To diagnose a problem, sometimes it is necessary to enable debug logging for all newly connected client sessions, to write to client logs connection establishing process and stream publishing start. This feature can be enabled since build 5.2.512 with the following parameter

client_log_force_debug=true

For all newly connected clients debug logs will be recorded during interval defined with the following parameter in seconds

client_log_force_debug_timeout=60

By default client debug logs will be written in 60 seconds for each session connected.

These settings can be changed win CLI and applied without server restart.

Using flight recorder

Flight recorder function allows to cyclically write some latest events for stream published. This information may help to diagnose problems with stream publishing without full client debug logs enabling. Flight recorder is enabled with the following parameter in flashphoner.properties file

enable_flight_recorder_test=true

without restarting WCS server. It saves the events to file for all publishers connected.

...

Client logs structure:

It is necessary to set events category that will be written (defined by developer)

flight_recorder_categories=WCS1438

The events are written for publisher client

...

to flight_recorder.log file, if stream publishing stops by some error, or stream is corrupted by some way.

To test flight recorder, the parameter should be set

enable_flight_recorder_test=true

without restarting WCS server. It saves the events to file for all publishers connected.

Client log structure and content

Client logs structure:

client_logs
---- 2018-05-16
-------- 84gij60a6u3ni7docsr1di1l5b-15-06-59
------------ flashphoner.log
------------ client-84gij60a6u3ni7docsr1di1l5b-2018.05.16.15.07.26-1526458046646.report
------------ MediaDump-85d65b00-639e-4a7e.31002-31004-31006-31008.pcap

...

Media traffic dumps

If in the flashphoner.properties settings file a non-zero value is set for the client_dump_level setting, a dump session is additionally recorded for a client:

...

SDR records are written to the sdr.log file located at logs/cdr. A new log file is created every 24 hours. Data are recorded as a CSV file, so they can be easily processed.

Field names are not recorded to the file.

Record format:

end;mediaProvider;name;mediaSessionId;duration;disposition;info;type;subscribers;

Record example:

2015-11-11 08:36:13;Flash;stream-Bob;5c2d75c0-7d87-421d-aa93-2732c48d8eaa;00:00:48;UNPUBLISHED;;PUBLISH;3;

...

Field

...

Description

...

end

...

Date and time the session ended

...

mediaProvider

...

The media used in WCS JavaScript API: WebRTC, Flash

...

name

...

Name of the published / played stream

...

mediaSessionId

...

Media session identifier

...

duration

...

Duration of the session

...

disposition

...

Session result: UNPUBLISHED, STOPPED, FAILED

UNPUBLISHED - publishing of the stream was stopped

STOPPED - playing of the stream was stopped

FAILED - incorrect session end

...

info

...

If disposition==FAILED, this field contains the description of the reason

...

type

...

PUBLISH if publishing the stream

SUBSCRIBE if playing the stream

...

subscribers

...

The number of subscribers in case of publishing the stream; 0 if playing the stream

CONNDR logs

Connection Detail Record is a WebSocket sessions log.

CONNDR records are written to the sdr.log log file located at logs/cdr. A new log file is created every 24 hours. Data are recorded as a CSV file, so they can be easily processed.

Field names are not recorded to the file.

Record format:

end;mediaSessionId;disposition;info;duration;

Record example:

2018-04-25 19:29:08;/5.44.168.45:52199/95.191.131.64:8443;DISCONNECTED;Normal disconnect;17;

...

Field

...

Description

...

end

...

Data and time the session ended

...

mediaSessionId

...

Media session identifier

...

disposition

...

Session result: DISCONNECTED, FAILED

DISCONNECTED - the session ended by client's initiative

FAILED - incorrect session end

...

info

...

Contains information about the session end

...

duration

...

Duration of the session

GC logs

By default garbage collector log files are located in /usr/local/FlashphonerWebCallServer/logs directory.

...

...

names are not recorded to the file.

Record format:

start;mediaProvider;name;mediaSessionId;duration;disposition;info;type;subscribers;

Record example:

2015-11-11 08:36:13;Flash;stream-Bob;5c2d75c0-7d87-421d-aa93-2732c48d8eaa;00:00:48;UNPUBLISHED;;PUBLISH;3;

CONNDR logs

Connection Detail Record is a WebSocket sessions log.

CONNDR records are written to the sdr.log log file located at logs/cdr. A new log file is created every 24 hours. Data are recorded as a CSV file, so they can be easily processed.

Field names are not recorded to the file.

Record format:

start;mediaSessionId;disposition;info;duration;

Record example:

2018-04-25 19:29:08;/5.44.168.45:52199/95.191.131.64:8443;DISCONNECTED;Normal disconnect;17;

GC logs

By default garbage collector log files are located in /usr/local/FlashphonerWebCallServer/logs directory.

logs
---- gc-core-2018-12-18_20-02.log
---- gc-core-2018-12-18_19-56.log

The location and prefix of the log files can be configured in wcs-core.properties file.

To enable log rotation by the JVM, the following options can be added to wcs-core.properties:

-XX:+UseGCLogFileRotation
-XX:NumberOfGCLogFiles=10
-XX:GCLogFileSize=2M

Then the log files will have names like

logs
---- gc-core.log2018-12-14_18-57.log.0
---- gc-core.log2018-12-14_18-57.log.1
---- gc-core-2018.log2018-12-14_18-57.log.2
---- gc-core.log2018-12-14_18_20-0257.log.3
---- gc-core-2018.log2018-12-14_18_19-5657.log

The location and prefix of the log files can be configured in wcs-core.properties file.

...

.4.current

File with suffix 'current' is the file currently being recorded.

To remove creation time from log file names, remove date from variable GC_SUFFIX in bin/setenv.sh:

-XX:+UseGCLogFileRotation
-XX:NumberOfGCLogFiles=10
-XX:GCLogFileSize=2MGC_SUFFIX=".log"

Then the log files will have names like

logs
---- gc-core.log2018-12-14_18-57.log.0
---- gc-core.log.01
---- gc-core.log2018-12-14_18-57.log.1
---- gc-core.log2018-12-14_18-57.log.2
---- gc-core.log2018-12-14_18-57.log.3
---- gc-core.log2018-12-14_18-57.log.4.current

File with suffix 'current' is the file currently being recorded.

To remove creation time from log file names, remove date from variable GC_SUFFIX in bin/setenv.sh:

GC_SUFFIX=".log"

Then the log files will have names like

logs
---- gc-core.log.0
---- gc-core.log.1
---- gc-core.log.2.current-core.log.2.current

CVE-2021-44228 vulnerability

CVE-2021-44228 vulnerability in Apache log4j library cannot be exploited on WCS server. The logger can be configured via log4j.properties only, so attacker must have access to server file system. The vulnerability cannot be exploited via input fields etc. Let's check:

1. Use the URL https://log4shell.huntress.com/ to check the server. This page will generate an unique link to insert to a web page input fields

2, Open Two Way Streaming example page on demo server https://demo.flashphoner.com:8888/client2/examples/demo/streaming/two_way_streaming/two_way_streaming.html, click Connect and insert the test link to stream name fields. Publish and play a stream:

Image Added

3. Open a special link to view test results. If vulnerability is exploited, IP address and Date/Time columns will show connections from tested server

Image Added

As test shows, the CVE-2021-44228 vulnerability cannot be exploited in latest WCS build 5.2.1109

Under the hoods: why WCS is not vulnerable

WCS uses Apache log4j 1.2.17. This old version does not support JDNI feature which is added since log4j 2.0-beta9. Therefore, CVE-2021-44228 vulnerability cannot be exploited in WCS.