journalctl
command. By default, simply running journalctl
will allow you to page through all messages logged to the systemd journal, including those from the numerous other services running on a typical server. Options can be provided to narrow these logs to messages from Tomcat or guacd.kcm-guacamole-standalone
)kcm
package, the Guacamole web application will log its messages to syslog. To view the log messages from Guacamole specifically, specify the "-t guacamole
" option to restrict journalctl
to showing only log messages from the "guacamole" syslog identifier:kcm-guacamole
)-u tomcat
" option to restrict journalctl
to showing only log messages from Tomcat's systemd unit:-t guacd
" option to restrict journalctl
to showing only log messages from the "guacd" syslog identifier:haveged
package. guacamole.war
, therefore must be manually deployed after Tomcat is installed. If the web application is not deployed, Tomcat will accept connections to port 8080 but will report errors when you attempt to access Guacamole./opt/keeper/share/guacamole/guacamole.war
within /var/lib/tomcat/webapps
, as documented by the installation instructions. If deployed correctly, a directory listing of /var/lib/tomcat/webapps should show a symbolic link to guacamole.war
, even if the name of the link differs from the file it points to. For example, if deployed as "guacamole":/var/log/audit/audit.log
), and SELinux must be configured to allow these connections by setting the httpd_can_network_connect
boolean to "1":/etc/guacamole/guacamole.properties
, have their permissions set such that only root and members of the "guacamole" group have read access. As it is Apache Tomcat which runs the Guacamole web application, and the Tomcat service runs as the "tomcat" user, the "tomcat" user must be a member of the "guacamole" group:/var/log/audit/audit.log
), and SELinux must be configured to allow these connections by setting the tomcat_can_network_connect_db
boolean to "1":/var/lib/pgsql/data/pg_hba.conf
, looking for one or more lines which associate IPv4 or IPv6 loopback addresses with "Ident":ident
should be changed to md5
to allow username/password authentication from these addresses:SELECT
, INSERT
, UPDATE
, and DELETE
privileges on all tables within its database. For PostgreSQL, it additionally requires SELECT
and USAGE
privileges on all sequences in its database.GRANT
statement and FLUSH PRIVILEGES
as documented. It is important to remember that MySQL caches database privileges and will not apply changes to privileges unless FLUSH PRIVILEGES
is run.GRANT
statements as documented, and that you did so prior to granting the required database permissions. It is important to remember that PostgreSQL can only grant permissions related to tables and sequences that exist. If GRANT
statements are run before Guacamole's database tables exist, they will not have any effect./etc/guacamole/guacamole.properties
look correct, check that you have not accidentally inserted whitespace at the end of what otherwise appears to be a correct value.YOUR_LDAP_SERVER
is the hostname or IP address of your LDAP server, YOUR_LDAP_DN
is the full DN of your account within LDAP, and USER_BASE_DN
is the base DN of all relevant users within your LDAP directory (as specified with the ldap-user-base-dn
property in /etc/guacamole/guacamole.properties
)./etc/guacamole/guacamole.properties
look correct, check that you have not accidentally inserted whitespace at the end of what otherwise appears to be a correct value. The presence of whitespace at the end of LDAP-related properties may result in queries failing and may cause Guacamole to incorrectly interpret the results of queries that appear to succeed.