Just a bit of a head's up and a refresh of this with perhaps some new data.
> > Good to hear :-) We recently also started investigating the Audit > capabilities for (notice I write "for" and not "in") IPA. You can > check my initial nudge to the freeipa-users list, which was > unfortunately with no reply: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00940.html > First up, just got round to reading this Martin. Not sure how I missed it when it first came out as it's a strong area of interest for me. The main part of what this message is about is a big change I made to our logging recently. I added in 4 of our main production IPA servers (there are 8 in total, but 4 sit beyond firewalls that take more scrutiny for changes than I wanted for now). The 4 I've added, though, serve more clients I figure. The amount of log traffic to the pair of Logstash servers has now jumped from around 50k records/hour to around 250k. Doubtless this still doesn't push any of the parts to their limits, but there has been a barely noticeably increase in CPU usage on the 2 Logstash servers. We've gone from around 2% CPU usage to 4%. Since the CPU usage on our 'loudest' IPA server rarely peaks above 10%, this doesn't present nearly as much load as I had anticipated. I have run Logstash parsers on my DEV IPA boxes, but will now investigate running them on my Prod servers too. What I'm getting at is that perhaps clients sending logs back to the IPA servers for parsing, then being sent on to a central DB for storage, isn't going to break the bank performance-wise. All of the systems in question here are 2vCPU with 4Gb vRAM running on ESXi hosts, so nothing special in the performance arena. It strikes me as a reasonably elegant solution to pair the authentication and log parsing services on the same set of servers. This would allow each client to use the same servers/failover etc for SSSD as for rsyslog. There may, of course, be other considerations, but I'm suggesting that system load isn't necessarily one of them. Much as projects such as Katello can run with everything on the same server, or split out Postgres and the like onto separate servers when there are performance considerations. Thoughts? I'm not saying they should always be paired, but that if a user designs a system with enough horse power, this piggy-backing could work well. Cheers Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code