Digging a bit more, if match the time stamp, *where* (IP address) and *who* are in /var/log/httpd/access_log, for example:
10.10.0.6 - [email protected] [26/Jan/2022:13:54:42 -0800] "POST /ipa/session/json HTTP/1.1" 200 582 On Wed, Jan 26, 2022 at 6:11 PM Mark Reynolds <[email protected]> wrote: > > On 1/26/22 8:51 PM, Kathy Zhu via FreeIPA-users wrote: > > Thanks both Rob and Mark for your replies! Take user creation as an > example: > > in /var/log/httpd/error_log: > > via GUI - what, when and who > via CLI - what, when and admin (since admin privilege is needed) > > in /var/log/dirsrv/slapd-EXAMPLE-COM/audit: > > via GUI - what, when and who (dn of creatorsName and modifiersName) > via CLI - what, when and admin (dn of creatorsName and modifiersName) > > Above example shows that if the user is created via GUI, the audit > information is good. If via CLI, "who" is admin instead. > > Inside audit log, the values of modifiersname are "Directory Manager", > admin, "krbprincipalname=ldap/..." and so on, while I am looking for a > particular user. > > in /var/log/dirsrv/slapd-EXAMPLE-COM/access log, there is a "conn" number > associated with each line, I'd love to get the instruction how to enable > "conn" number in audit log, I can use it find out "from where". > > Sorry there is no way to do it yet. It would be an RFE, and probably a > new config attribute nsslapd-auditlog-level in Directory Server. I can not > promise how soon the feature will be implemented, but file the RFE here: > https://github.com/389ds/389-ds-base/issues/new/choose > > Thanks, > > Mark > > > Thanks. > > Kathy. > > On Wed, Jan 26, 2022 at 12:10 PM Mark Reynolds <[email protected]> > wrote: > >> >> On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote: >> >> Thanks Mark and Florence for your replies! >> >> I will check directory389 list to see if there is any useful information. >> >> By turning on audit logging, we'd like to have a record of what was >> changed, when and by whom. For example, we should be able to answer when >> and who added the user XYZ. Unfortunately, IPA's audit logging isn't great >> to serve that purpose, it provides information of what and when, not by >> whom (modifiersname field is useless). >> >> Why is modifiersname useless? It would be the Bind DN that performed the >> operation -> the "Who". The LDAP server only knows of "who" by it's LDAP >> DN and there is no other value it could use. The "What" is the "dn", and >> the "When" is the "time" stamp in the audit log entry. >> >> For the "Where", you would need to know the connection ID. Then the >> access log could be parsed to find the IP address of the client. >> Technically the conn ID could be added to the audit log, but changing the >> logging format is problematic as people are already parsing our logs and >> every time we change the format we get complaints. >> >> Sorry I guess I still don't understand what is missing. From my >> standpoint we already provide the Who, What, and When in the audit log >> (from the DS perspective). Perhaps the specific info you want is not >> available in the LDAP server? >> >> Mark >> >> >> For others facing similar situations, I found filebeat does the track, it >> can combine multiple lines of logs to a single line before forwarding the >> logs, which is searchable. >> >> Thanks. >> >> Kathy. >> >> On Wed, Jan 26, 2022 at 10:40 AM Rob Crittenden <[email protected]> > wrote: > Kathy Zhu via FreeIPA-users wrote: > > Thanks Mark and Florence for your replies! > > > > I will check directory389 list to see if there is any useful > information. > > > > By turning on audit logging, we'd like to have a record of what was > > changed, when and by whom. For example, we should be able to answer when > > and who added the user XYZ. Unfortunately, IPA's audit logging isn't > > great to serve that purpose, it provides information of what and when, > > not by whom (modifiersname field is useless). > > The IPA audit log is the apache error log. > > Adding a user you'll see something like: > > [Wed Jan 26 13:38:57.762988 2022] [wsgi:error] [pid 1475984:tid 1476323] > [remote 192.168.166.203:46788] ipa: INFO: [jsonserver_session] > [email protected]: user_add/1('suser', givenname='some', sn='user', > version='2.245'): SUCCESS > > So user tuser added user suser successfully today at 1:30pm. > > rob > > > > For others facing similar situations, I found filebeat does the track, > > it can combine multiple lines of logs to a single line before forwarding > > the logs, which is searchable. > > > > Thanks. > > > > Kathy. > > > >> >> On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <[email protected]> >> wrote: >> >>> The audit log is essentially just a list of LDIF commands. If you >>> remove the "time" and "result" lines you can redirect the log straight to >>> ldapmodify: >>> >>> >>> time: 20220126111500 >>> dn: cn=config,cn=ldbm database,cn=plugins,cn=config >>> result: 0 >>> changetype: modify >>> replace: nsslapd-lookthroughlimit >>> nsslapd-lookthroughlimit: 5001 >>> - >>> replace: modifiersname >>> modifiersname: cn=dm >>> - >>> replace: modifytimestamp >>> modifytimestamp: 20220126161500Z >>> - >>> >>> >>> I'm not sure this log is worth "parsing" since it's just describing the >>> exact changes made to the server, and I'm not sure there are that many any >>> useful "stats" that could be gained by parsing it. What exactly are you >>> hoping to get out of it? >>> >>> Mark >>> On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote: >>> >>> Hi, >>> You should try with [email protected] >>> <https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.org>, >>> other users may have found a solution to your problem. >>> flo >>> >>> On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <[email protected]> wrote: >>> >>>> Yes, correct, Florence. >>>> >>>> BTW, Florence, I'd like to take this opportunity to let you know that I >>>> benefit from your blog, especially the one about certificates. >>>> >>>> Thanks! >>>> >>>> Kathy. >>>> >>>> On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud <[email protected]> >>>> wrote: >>>> >>>>> Hi Kathy, >>>>> which log file are you referring to? 389-ds audit log in >>>>> /var/log/dirsrv/slapd-xxx/audit? >>>>> >>>>> flo >>>>> >>>>> On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users < >>>>> [email protected]> wrote: >>>>> >>>>>> Hello list, >>>>>> >>>>>> I had FreeIPA audit log on. I feed audit logs to Graylog. Since there >>>>>> are multiple lines of logs for each event, I could not find a suitable >>>>>> extractor to parse the logs. Therefore, the logs are very hard to read. >>>>>> Could anyone in the list share how you process the logs if you are in a >>>>>> similar situation? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Kathy. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- [email protected] >>>>>> To unsubscribe send an email to >>>>>> [email protected] >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>>>> Do not reply to spam on the list, report it: >>>>>> https://pagure.io/fedora-infrastructure >>>>>> >>>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure >>> >>> -- >>> Directory Server Development Team >>> >>> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >> -- >> Directory Server Development Team >> >> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > -- > Directory Server Development Team > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
