-----Original Message----- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 05 June 2015 13:31 To: Innes, Duncan; freeipa-devel@redhat.com; Jakub Hrozek Subject: Re: [Freeipa-devel] Suggestion for the A part of IPA
> On 06/02/2015 10:29 AM, Innes, Duncan wrote: > > Just a bit of a head's up and a refresh of this with perhaps some new > > data. > > > > We have more now! I created > > https://www.freeipa.org/page/Centralized_Logging > > where you can read more about this POC project and even see demo showing > what the current POC ELK server can do (with link to Docker server > container and sources of course). Excellent stuff - I fumbled together the page linked in your "Other Resources" section at the bottom. Will be upgrading my configs to replicate what you've done with respect to pulling in extra log files. > > > > Thoughts? I'm not saying they should always be paired, but that if a > > user designs a system with enough horse power, this piggy-backing > > could work well. > > Ah, interesting idea and measurement. We have not thought about this kind > of architecture yet. What we did in our POC is to configure FreeIPA > clients and servers to send the logs directly to the logging server which > was on completely different machine (container) than rest of the > infrastructure. > > It may be an alternative scheme, to have FreeIPA server containing the > log processing and then forwarding further to other REK/ELK server and > clients simply forwarding the logs to the same server as where they are > authenticating. > If all the log configuration is baked in > ipa-{server,replica,client}-install, it would be extremely easy to > integrate. > I was also thinking that this kind of setup would work well in a heavily firewalled environment. We have both hardware and host-based iptables firewalls across the estate. In our case, pairing the firewall rules for logging to the IPA servers is much easier than creating new servers and requesting separate rules for them. Every client need to talk to the IPA servers via the IPA ports after all. Adding in an extra port to the firewall rule group for IPA isn't hard to maintain. > > I am not sure if the authentication+logging binding would be that easy, > nor that it belong together that much. SSSD would need to dynamically > export the address of the FreeIPA server it communicates with, maybe > similarly as it does with Kerberos > (http://linux.die.net/man/8/sssd_krb5_locator_plugin) - but that does > not seem as a good fit either. > No - perhaps not. Again I'm thinking more from my current situation. We were not given access to create _SRV_ records by the AD team, so we have had to hard-code our IPA servers into the config files. i.e. [domain/unix.example.com] cache_credentials = True krb5_realm = UNIX.EXAMPLE.COM ipa_domain = unix.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client01.unix.example.com chpass_provider = ipa ipa_server = ipa01.unix.example.com, ipa02.unix.example.com ldap_tls_cacert = /etc/ipa/ca.crt We try and figure out which IPA servers we can see, then randomise the order of available servers and put it in the ipa_server setting. So relatively simple for our setup to copy this config into an rsyslog.d config file. Less easy if you just use _srv_ in there. Not sure how you'd do that to be fair. But if it's possible to parse the data coming back from the DNS _SRV_ query, couldn't all the potential IPA servers be included for rsyslog failover? If all my remote servers are down, my failover reverts to /dev/null, so no data will be written to disk if I'm isolated. That's for rsyslog of course. I'm also working on getting systemd-journal-upload to send direct to logstash (hopefully with the http input plugin). > > In any case, CCing Jakub for reference. > > Thanks, > Martin This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
