On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote:
Thanks Mark and Florence for your replies!
I will check directory389 list to see if there is any useful information.
By turning on audit logging, we'd like to have a record of what was
changed, when and by whom. For example, we should be able to answer
when and who added the user XYZ. Unfortunately, IPA's audit logging
isn't great to serve that purpose, it provides information of what and
when, not by whom (modifiersname field is useless).
Why is modifiersname useless? It would be the Bind DN that performed
the operation -> the "Who". The LDAP server only knows of "who" by it's
LDAP DN and there is no other value it could use. The "What" is the
"dn", and the "When" is the "time" stamp in the audit log entry.
For the "Where", you would need to know the connection ID. Then the
access log could be parsed to find the IP address of the client.
Technically the conn ID could be added to the audit log, but changing
the logging format is problematic as people are already parsing our logs
and every time we change the format we get complaints.
Sorry I guess I still don't understand what is missing. From my
standpoint we already provide the Who, What, and When in the audit log
(from the DS perspective). Perhaps the specific info you want is not
available in the LDAP server?
Mark
For others facing similar situations, I found filebeat does the track,
it can combine multiple lines of logs to a single line before
forwarding the logs, which is searchable.
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <[email protected]> wrote:
The audit log is essentially just a list of LDIF commands. If you
remove the "time" and "result" lines you can redirect the log
straight to ldapmodify:
time: 20220126111500
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
result: 0
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 5001
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20220126161500Z
-
I'm not sure this log is worth "parsing" since it's just
describing the exact changes made to the server, and I'm not sure
there are that many any useful "stats" that could be gained by
parsing it. What exactly are you hoping to get out of it?
Mark
On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
You should try with [email protected]
<https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.org>,
other users may have found a solution to your problem.
flo
On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <[email protected]> wrote:
Yes, correct, Florence.
BTW, Florence, I'd like to take this opportunity to let you
know that I benefit from your blog, especially the one about
certificates.
Thanks!
Kathy.
On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud
<[email protected]> wrote:
Hi Kathy,
which log file are you referring to? 389-ds audit log in
/var/log/dirsrv/slapd-xxx/audit?
flo
On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via
FreeIPA-users <[email protected]> wrote:
Hello list,
I had FreeIPA audit log on. I feed audit logs to
Graylog. Since there are multiple lines of logs for
each event, I could not find a suitable extractor to
parse the logs. Therefore, the logs are very hard to
read. Could anyone in the list share how you process
the logs if you are in a similar situation?
Thanks!
Kathy.
_______________________________________________
FreeIPA-users mailing list --
[email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
