hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Add open webui collection

Open LearningSpot opened this issue 11 months ago • 6 comments

Collection for Open WebUI using docker instance.

LearningSpot avatar Jan 22 '25 07:01 LearningSpot

Hey 👋🏻

Thank you for opening a pull request!

Could we have some test lines to add these to the test files to ensure we dont accidentally break it in future!

LaurenceJJones avatar Jan 22 '25 11:01 LaurenceJJones

Hi Laurence, Thanks for quick response. Did you mean test logs? Or add this to some test folder? I created branches for all the new collections as you suggested last time.

LearningSpot avatar Jan 22 '25 12:01 LearningSpot

Hi Laurence, Thanks for quick response. Did you mean test logs? Or add this to some test folder? I created branches for all the new collections as you suggested last time.

if you paste the logs here I can add them to tests.

LaurenceJJones avatar Feb 03 '25 12:02 LaurenceJJones

Example log for Open-WebUI Auth error :

authenticate_user [email protected] INFO: 1.2.3.4:0 - "POST /api/v1/auths/signin HTTP/1.1" 400 Bad Request

Note : IP : 1.2.3.4

It works on the IP but I haven't managed to use this for the user enumeration as it's 2 line error log. Hope can improve on that.

LearningSpot avatar Feb 03 '25 12:02 LearningSpot

There's also some audit logs which you can enable via ENABLE_AUDIT_LOGS=true docker environment variable which writes to /path/to/container/volume/audit.log and an example is

{
  "id": "ed8a1fd3-88eb-4758-84b0-abba6ed217fb",
  "timestamp": 1740869185,
  "user": {
    "id": "b26d0ab4-116b-4024-bb2a-80e86dfc903f",
    "name": "First Last",
    "email": "[email protected]",
    "role": "admin"
  },
  "audit_level": "REQUEST_RESPONSE",
  "verb": "POST",
  "request_uri": "https://example.com/api/v1/users/user/settings/update",
  "response_status_code": 200,
  "source_ip": "IP_V6_ADDRESS/IPV4_ADDRESS",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0",
  "request_object": "{\"ui\":{\"version\":\"0.5.18\",\"notifications\":{\"webhook_url\":\"\"},\"directConnections\":{\"OPENAI_API_BASE_URLS\":[],\"OPENAI_API_KEYS\":[],\"OPENAI_API_CONFIGS\":{}},\"models\":[\"deepseek-r1:14b\"]}}",
  "response_object": "{\"ui\":{\"version\":\"0.5.18\",\"notifications\":{\"webhook_url\":\"\"},\"directConnections\":{\"OPENAI_API_BASE_URLS\":[],\"OPENAI_API_KEYS\":[],\"OPENAI_API_CONFIGS\":{}},\"models\":[\"deepseek-r1:14b\"]}}",
  "extra": {}
}

Not sure if these can also be considered for parsing.

sparkyfen avatar Mar 01 '25 22:03 sparkyfen

I don't think the audit log can parse as it continues too many lines and the information here about authentication can parse in the docker logs already.

LearningSpot avatar Mar 06 '25 13:03 LearningSpot