Yes, Rob. access_log gives me the IP where I performed this task.
Thank you. Kathy. On Thu, Jan 27, 2022 at 1:49 PM Rob Crittenden <[email protected]> wrote: > Kathy Zhu via FreeIPA-users wrote: > > Digging a bit more, if match the time stamp, *where* (IP address) > > and *who* are in /var/log/httpd/access_log, for example: > > > > |10.10||.||0.6| |- kathy||@EXAMPLE||.COM > > [||26||/Jan/||2022||:||13||:||54||:||42| |-||0800||] ||"POST > > /ipa/session/json HTTP/1.1"| |200| |582| > > The error log has all the details of what was executed. The principal > reflects the TGT the user had when initiating the request. In this case > kathy, in the previous admin. > > rob > > > > > > > On Wed, Jan 26, 2022 at 6:11 PM Mark Reynolds <[email protected] > > <mailto:[email protected]>> wrote: > > > > > > On 1/26/22 8:51 PM, Kathy Zhu via FreeIPA-users wrote: > >> Thanks both Rob and Mark for your replies! Take user creation as > >> an example: > >> > >> in /var/log/httpd/error_log: > >> > >> via GUI - what, when and who > >> via CLI - what, when and admin (since admin privilege is needed) > >> > >> in /var/log/dirsrv/slapd-EXAMPLE-COM/audit: > >> > >> via GUI - what, when and who (dn of creatorsName and modifiersName) > >> via CLI - what, when and admin (dn of creatorsName > and modifiersName) > >> > >> Above example shows that if the user is created via GUI, the audit > >> information is good. If via CLI, "who" is admin instead. > >> > >> Inside audit log, the values of modifiersname are "Directory > >> Manager", admin, "krbprincipalname=ldap/..." and so on, while I am > >> looking for a particular user. > >> > >> in /var/log/dirsrv/slapd-EXAMPLE-COM/access log, there is a "conn" > >> number associated with each line, I'd love to get the instruction > >> how to enable "conn" number in audit log, I can use it find out > >> "from where". > > > > Sorry there is no way to do it yet. It would be an RFE, and > > probably a new config attribute nsslapd-auditlog-level in Directory > > Server. I can not promise how soon the feature will be implemented, > > but file the RFE here: > > https://github.com/389ds/389-ds-base/issues/new/choose > > > > Thanks, > > > > Mark > > > >> > >> Thanks. > >> > >> Kathy. > >> > >> On Wed, Jan 26, 2022 at 12:10 PM Mark Reynolds > >> <[email protected] <mailto:[email protected]>> wrote: > >> > >> > >> On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote: > >>> Thanks Mark and Florence for your replies! > >>> > >>> I will check directory389 list to see if there is any useful > >>> information. > >>> > >>> By turning on audit logging, we'd like to have a record of > >>> what was changed, when and by whom. For example, we should be > >>> able to answer when and who added the user XYZ. > >>> Unfortunately, IPA's audit logging isn't great to serve that > >>> purpose, it provides information of what and when, not by > >>> whom (modifiersname field is useless). > >> > >> Why is modifiersname useless? It would be the Bind DN that > >> performed the operation -> the "Who". The LDAP server only > >> knows of "who" by it's LDAP DN and there is no other value it > >> could use. The "What" is the "dn", and the "When" is the > >> "time" stamp in the audit log entry. > >> > >> For the "Where", you would need to know the connection ID. > >> Then the access log could be parsed to find the IP address of > >> the client. Technically the conn ID could be added to the > >> audit log, but changing the logging format is problematic as > >> people are already parsing our logs and every time we change > >> the format we get complaints. > >> > >> Sorry I guess I still don't understand what is missing. From > >> my standpoint we already provide the Who, What, and When in > >> the audit log (from the DS perspective). Perhaps the specific > >> info you want is not available in the LDAP server? > >> > >> Mark > >> > >>> > >>> For others facing similar situations, I found filebeat does > >>> the track, it can combine multiple lines of logs to a single > >>> line before forwarding the logs, which is searchable. > >>> > >>> Thanks. > >>> > >>> Kathy. > >> > >> On Wed, Jan 26, 2022 at 10:40 AM Rob Crittenden > >> <[email protected] <mailto:[email protected]>> wrote: > >> Kathy Zhu via FreeIPA-users wrote: > >> > Thanks Mark and Florence for your replies! > >> > > >> > I will check directory389 list to see if there is any useful > >> information. > >> > > >> > By turning on audit logging, we'd like to have a record of what > was > >> > changed, when and by whom. For example, we should be able to > >> answer when > >> > and who added the user XYZ. Unfortunately, IPA's audit logging > >> isn't > >> > great to serve that purpose, it provides information of what and > >> when, > >> > not by whom (modifiersname field is useless). > >> > >> The IPA audit log is the apache error log. > >> > >> Adding a user you'll see something like: > >> > >> [Wed Jan 26 13:38:57.762988 2022] [wsgi:error] [pid 1475984:tid > >> 1476323] > >> [remote 192.168.166.203:46788 <http://192.168.166.203:46788/>] > >> ipa: INFO: [jsonserver_session] > >> [email protected] <mailto:[email protected]>: > >> user_add/1('suser', givenname='some', sn='user', > >> version='2.245'): SUCCESS > >> > >> So user tuser added user suser successfully today at 1:30pm. > >> > >> rob > >> > > >> > For others facing similar situations, I found filebeat does the > >> track, > >> > it can combine multiple lines of logs to a single line before > >> forwarding > >> > the logs, which is searchable. > >> > > >> > Thanks. > >> > > >> > Kathy. > >> > > >> > >>> > >>> On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds > >>> <[email protected] <mailto:[email protected]>> wrote: > >>> > >>> The audit log is essentially just a list of LDIF > >>> commands. If you remove the "time" and "result" lines > >>> you can redirect the log straight to ldapmodify: > >>> > >>> > >>> time: 20220126111500 > >>> dn: cn=config,cn=ldbm database,cn=plugins,cn=config > >>> result: 0 > >>> changetype: modify > >>> replace: nsslapd-lookthroughlimit > >>> nsslapd-lookthroughlimit: 5001 > >>> - > >>> replace: modifiersname > >>> modifiersname: cn=dm > >>> - > >>> replace: modifytimestamp > >>> modifytimestamp: 20220126161500Z > >>> - > >>> > >>> > >>> I'm not sure this log is worth "parsing" since it's just > >>> describing the exact changes made to the server, and I'm > >>> not sure there are that many any useful "stats" that > >>> could be gained by parsing it. What exactly are you > >>> hoping to get out of it? > >>> > >>> Mark > >>> > >>> On 1/26/22 11:05 AM, Florence Blanc-Renaud via > >>> FreeIPA-users wrote: > >>>> Hi, > >>>> You should try with [email protected] > >>>> < > https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.org > >, > >>>> other users may have found a solution to your problem. > >>>> flo > >>>> > >>>> On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> Yes, correct, Florence. > >>>> > >>>> BTW, Florence, I'd like to take this opportunity to > >>>> let you know that I benefit from your blog, > >>>> especially the one about certificates. > >>>> > >>>> Thanks! > >>>> > >>>> Kathy. > >>>> > >>>> On Fri, Jan 21, 2022 at 1:17 AM Florence > >>>> Blanc-Renaud <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> Hi Kathy, > >>>> which log file are you referring to? 389-ds > >>>> audit log in /var/log/dirsrv/slapd-xxx/audit? > >>>> > >>>> flo > >>>> > >>>> On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via > >>>> FreeIPA-users > >>>> <[email protected] > >>>> <mailto:[email protected]>> > >>>> wrote: > >>>> > >>>> Hello list, > >>>> > >>>> I had FreeIPA audit log on. I feed audit > >>>> logs to Graylog. Since there are multiple > >>>> lines of logs for each event, I could not > >>>> find a suitable extractor to parse the logs. > >>>> Therefore, the logs are very hard to read. > >>>> Could anyone in the list share how you > >>>> process the logs if you are in a > >>>> similar situation? > >>>> > >>>> Thanks! > >>>> > >>>> Kathy. > >>>> > >>>> > >>>> > >>>> > _______________________________________________ > >>>> FreeIPA-users mailing list -- > >>>> [email protected] > >>>> <mailto:[email protected]> > >>>> To unsubscribe send an email to > >>>> [email protected] > >>>> <mailto: > [email protected]> > >>>> Fedora Code of Conduct: > >>>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> List Guidelines: > >>>> > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> List Archives: > >>>> > https://lists.fedorahosted.org/archives/list/[email protected] > >>>> Do not reply to spam on the list, report it: > >>>> https://pagure.io/fedora-infrastructure > >>>> > >>>> > >>>> _______________________________________________ > >>>> FreeIPA-users mailing list -- > [email protected] <mailto: > [email protected]> > >>>> To unsubscribe send an email to > [email protected] <mailto: > [email protected]> > >>>> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>> List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >>>> Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > >>> > >>> -- > >>> Directory Server Development Team > >>> > >>> > >>> _______________________________________________ > >>> FreeIPA-users mailing list -- > [email protected] <mailto: > [email protected]> > >>> To unsubscribe send an email to > [email protected] <mailto: > [email protected]> > >>> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >>> List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >>> Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > >> > >> -- > >> Directory Server Development Team > >> > >> > >> _______________________________________________ > >> FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > >> To unsubscribe send an email to > [email protected] <mailto: > [email protected]> > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >> Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > > -- > > Directory Server Development Team > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
