[FEATURE REQUEST] Improved log visibility

[sandsoncosta]

Firstly! Thanks for providing a greatest software!

I would like to contribute by giving some ideas for improvement and visibility of valuable information for a Security Operations Center (SOC) team.

I set up a Linux VM in my lab.

And when I access /var/log/multiotp/multiotp.log I see the server-secret in plaintext with debug mode enabled. In my case is "secret2OTP".

========================================
multiotp 5.9.0.1
Your script is running from /usr/local/bin/multiotp/
2025-03-26 21:52:30     debug           CredentialProviderRequest       Info: *Value for IsCredentialProviderRequest:   0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *CheckUserExists server request for robert.baratheon with challenge MOSHb21616d323af09e2d797555b67f7d056  0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *CheckUserExists intermediate error code: 22      0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *Server secret used for command CheckUserExists with error code result 22: secret2OTP     0       multiotp
========================================
multiotp 5.9.0.1
Your script is running from /usr/local/bin/multiotp/
2025-03-26 21:52:30     debug           CredentialProviderRequest       Info: *Value for IsCredentialProviderRequest:   0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *ReadUserData server request for robert.baratheon 0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *Server secret used for command ReadUserData with error code result 19: secret2OTP        0       multiotp

OTP Login:

========================================
2025-03-26 22:35:45     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:35:52     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:35:53     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:36:09     notice  sandson.costa   User    OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token       0       multiotp

jaime.lannister is not included in the 2FAUsers group.

It would be interesting if the log showed another type of error. Since the sync synchronizes the user table of the 2FAUsers group, any user other than that group requests an OTP, informing that the user does not have 2FA configured.

Example:

========================================
2025-03-26 22:35:45     warning   jaime.lannister   User   ERROR: User jaime.lannister jaime.lannister is not included in the 2FAUsers group or does not have 2FA enabled     0       multiotp
2025-03-26 22:36:09     notice  sandson.costa   User    OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token       0       multiotp

Users included in the exception for logging in without 2FA do not generate logs. It would be interesting if they also generated logs, informing which user logged in without 2FA. This could help in auditing users who should have 2FA and it is not enabled, or it could help against insiders and corporate spies.

Example:

========================================
2025-03-26 22:36:09     notice  robert.lannister   User    OK: User robert.lannister successfully logged in (using Credential Provider) without TOTP token       0       multiotp

I also set up syslog sending to my SIEM, to see what sending logs would look like and how it could contribute to rules and audits.

I believe it can improve and I have some ideas.

Current logs:

#Log server
<61>Mar 26 22:23:13 multiotp multiOTP: multiotp 192.168.188.134 OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token

#Log workstation user
<61>Mar 26 22:23:13 GOAD-WIN11LAB1 multiOTP: GOAD-WIN11LAB1 192.168.56.103 Info: User sandson.costa successfully logged in (using Credential Provider) using an external server

It would be interesting to make the multiotp log more verbose, regardless of whether the log comes from the workstation or not.

But for the multiotp server, as it is the authentication location, the log configured there should be more or less like this to be more complete.

Exemple:

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="sandson.costa", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="OTP", result="Sucess"

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="jaime.lannister", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="OTP", result="User is not included in the '2FAUsers' group or does not have 2FA enabled"

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="robert.baratheon", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="Without2FA", result="Sucess"

[multiOTP]

Hello @sandsoncosta,

Debug Mode

As the debug mode is done to... debug issues, the server secret used is currently logged in "debug mode". Based on your comment, we decide to log the server secret only in "developer mode".

Message error for user not included in the 2FAUsers group

As multiOTP open source server can be used with synchronized AD/LDAP as well as with local created users, the error cannot be so specific as mentionned in your example. A solution could be something like that:

2025-03-26 22:35:45     warning   sample.username   User   ERROR: User sample.username is not declared/synchronized in the multiOTP server     0       multiotp

Users included in the exception for logging in without 2FA do not generate logs.

With "without2fa" acount, we don't know if the login was a success or not (as for Credential Provider, it depends also on the Active Directory check which is handled directly by the Credential Provider), we cannot say that a successfully log in has been done, but we can say that an attempt has been done. A solution could be something like that:

2025-03-26 22:36:09     notice  sample.username   User    OK: User sample.username don't need 2FA and is trying to log (using Credential Provider) without TOTP token       0       multiotp

Syslog log Verbosity

Thanks for your proposal, we will think about enhancing the 500+ log messages and it's now on the wishlist

[Eliseufera]

Firstly! Thanks for providing a greatest software!

I would like to contribute by giving some ideas for improvement and visibility of valuable information for a Security Operations Center (SOC) team.

I set up a Linux VM in my lab.

And when I access /var/log/multiotp/multiotp.log I see the server-secret in plaintext with debug mode enabled. In my case is "secret2OTP".

========================================
multiotp 5.9.0.1
Your script is running from /usr/local/bin/multiotp/
2025-03-26 21:52:30     debug           CredentialProviderRequest       Info: *Value for IsCredentialProviderRequest:   0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *CheckUserExists server request for robert.baratheon with challenge MOSHb21616d323af09e2d797555b67f7d056  0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *CheckUserExists intermediate error code: 22      0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *Server secret used for command CheckUserExists with error code result 22: secret2OTP     0       multiotp
========================================
multiotp 5.9.0.1
Your script is running from /usr/local/bin/multiotp/
2025-03-26 21:52:30     debug           CredentialProviderRequest       Info: *Value for IsCredentialProviderRequest:   0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *ReadUserData server request for robert.baratheon 0       multiotp
2025-03-26 21:52:30     debug           Server-Client   Info: *Server secret used for command ReadUserData with error code result 19: secret2OTP        0       multiotp

OTP Login:

========================================
2025-03-26 22:35:45     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:35:52     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:35:53     warning         System  Error: database file /etc/multiotp/users/jaime.lannister.db for user jaime.lannister does not exist     0       multiotp
2025-03-26 22:36:09     notice  sandson.costa   User    OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token       0       multiotp

jaime.lannister is not included in the 2FAUsers group.

It would be interesting if the log showed another type of error. Since the sync synchronizes the user table of the 2FAUsers group, any user other than that group requests an OTP, informing that the user does not have 2FA configured.

Example:

========================================
2025-03-26 22:35:45     warning   jaime.lannister   User   ERROR: User jaime.lannister jaime.lannister is not included in the 2FAUsers group or does not have 2FA enabled     0       multiotp
2025-03-26 22:36:09     notice  sandson.costa   User    OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token       0       multiotp

Users included in the exception for logging in without 2FA do not generate logs. It would be interesting if they also generated logs, informing which user logged in without 2FA. This could help in auditing users who should have 2FA and it is not enabled, or it could help against insiders and corporate spies.

Example:

========================================
2025-03-26 22:36:09     notice  robert.lannister   User    OK: User robert.lannister successfully logged in (using Credential Provider) without TOTP token       0       multiotp

I also set up syslog sending to my SIEM, to see what sending logs would look like and how it could contribute to rules and audits.

I believe it can improve and I have some ideas.

Current logs:

#Log server
<61>Mar 26 22:23:13 multiotp multiOTP: multiotp 192.168.188.134 OK: User sandson.costa successfully logged in (using Credential Provider) with TOTP token

#Log workstation user
<61>Mar 26 22:23:13 GOAD-WIN11LAB1 multiOTP: GOAD-WIN11LAB1 192.168.56.103 Info: User sandson.costa successfully logged in (using Credential Provider) using an external server

It would be interesting to make the multiotp log more verbose, regardless of whether the log comes from the workstation or not.

But for the multiotp server, as it is the authentication location, the log configured there should be more or less like this to be more complete.

Exemple:

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="sandson.costa", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="OTP", result="Sucess"

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="jaime.lannister", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="OTP", result="User is not included in the '2FAUsers' group or does not have 2FA enabled"

<61>Mar 26 14:32:00 multiotp multiOTP: [AUDIT] Authentication 2FA successfully - user="robert.baratheon", sourceip="192.168.188.134", hostname="GOAD-WIN11LAB1", method="Without2FA", result="Sucess"

Estranho...

[multiOTP]

Hello,
The log entries are under review in order to provide structured and parsable information. We are talking about... 600 log entries.
The new improved log format format will be available at the beginning of 2026.
Regards,