The A part of IPA has always been of great interest to me. Our current
IPA infrastructure works well at the I & P parts, giving us great
failover abilities and connectivity through hardware firewalls without
punching too many holes.
Whilst the A part may not be solely about centralised logging, it's the
thing I've been looking into recently. To do this I've built a setup
around the ELK stack using a pair of Logstash servers and an
ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, but
this is proof of concept still). To expand on this, I've been looking
at running the Logstash serviceon each of our IPA servers as that gives
us a failover pair in each part of our network. The Logstash servers
then connect to the ES cluster as non-data nodes. Each client has an
rsyslog7 (still using RHEL6 at the moment) config that writes sends the
logs in JSON format with some extra bespoke fields added (such as
Project, Environment, and Use to help us search better). The sending is
done in rsyslog's rather clunky failover method to the local pair of
Logstash servers (with a third failover being to /dev/null).
It struck me that this kind of setup might not be too far removed from
some of the A part of IPA.
I'm not good at ASCII flowchart diagrams, so will leave it there for
now. The main point of this - does any of this idea sound reasonable to
add in to FreeIPA? To me it sounds like a good fit for getting (some)
logging data back to a central point.
The Logstash indexers currently have a very low load (perhaps due to the
incoming data already being JSON) and small memory footprint. They run
without issue on our IPA servers. The ES nodes are different and I
won't pretent to be any sort of expert in what they do. They load up a
bit when I shut 1 of them down, but that's the rebalancing happening.
Apologies if this is off topic, or wide of the mark.
This message has been checked for viruses and spam by the Virgin Money email
scanning system powered by Messagelabs.
This e-mail is intended to be confidential to the recipient. If you receive a
copy in error, please inform the sender and then delete this message.
Virgin Money plc - Registered in England and Wales (Company no. 6952311).
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
Virgin Money plc is authorised by the Prudential Regulation Authority and
regulated by the Financial Conduct Authority and the Prudential Regulation
The following companies also trade as Virgin Money. They are both authorised
and regulated by the Financial Conduct Authority, are registered in England and
Wales and have their registered office at Jubilee House, Gosforth, Newcastle
upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no.
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).
For further details of Virgin Money group companies please visit our website at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code