Thanks Mark and Florence for your replies! I will check directory389 list to see if there is any useful information.
By turning on audit logging, we'd like to have a record of what was changed, when and by whom. For example, we should be able to answer when and who added the user XYZ. Unfortunately, IPA's audit logging isn't great to serve that purpose, it provides information of what and when, not by whom (modifiersname field is useless). For others facing similar situations, I found filebeat does the track, it can combine multiple lines of logs to a single line before forwarding the logs, which is searchable. Thanks. Kathy. On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <[email protected]> wrote: > The audit log is essentially just a list of LDIF commands. If you remove > the "time" and "result" lines you can redirect the log straight to > ldapmodify: > > > time: 20220126111500 > dn: cn=config,cn=ldbm database,cn=plugins,cn=config > result: 0 > changetype: modify > replace: nsslapd-lookthroughlimit > nsslapd-lookthroughlimit: 5001 > - > replace: modifiersname > modifiersname: cn=dm > - > replace: modifytimestamp > modifytimestamp: 20220126161500Z > - > > > I'm not sure this log is worth "parsing" since it's just describing the > exact changes made to the server, and I'm not sure there are that many any > useful "stats" that could be gained by parsing it. What exactly are you > hoping to get out of it? > > Mark > On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote: > > Hi, > You should try with [email protected] > <https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.org>, > other users may have found a solution to your problem. > flo > > On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <[email protected]> wrote: > >> Yes, correct, Florence. >> >> BTW, Florence, I'd like to take this opportunity to let you know that I >> benefit from your blog, especially the one about certificates. >> >> Thanks! >> >> Kathy. >> >> On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud <[email protected]> >> wrote: >> >>> Hi Kathy, >>> which log file are you referring to? 389-ds audit log in >>> /var/log/dirsrv/slapd-xxx/audit? >>> >>> flo >>> >>> On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> Hello list, >>>> >>>> I had FreeIPA audit log on. I feed audit logs to Graylog. Since there >>>> are multiple lines of logs for each event, I could not find a suitable >>>> extractor to parse the logs. Therefore, the logs are very hard to read. >>>> Could anyone in the list share how you process the logs if you are in a >>>> similar situation? >>>> >>>> Thanks! >>>> >>>> Kathy. >>>> >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam on the list, report it: >>>> https://pagure.io/fedora-infrastructure >>>> >>> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > -- > Directory Server Development Team > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
