Yeah, to find what I'm looking for I keep a list of grep examples, as auditors generally ask for the same things! I modify httpd.conf to send ErrorLog messages to syslog and then use syslog to send those to a server with cheap storage to keep a long history.
Regards Angus ________________________________ From: Charles Hedrick <hedr...@rutgers.edu> Sent: 15 January 2020 22:54 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Ryan Slominski <ry...@jlab.org>; Angus Clarke <p...@angusclarke.com> Subject: Re: [Freeipa-users] Where is the "Audit" in IPA? This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly enough that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes. On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Just a note from a fellow user ... Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though ... The facilities you are asking about sound excellent Ryan! Regards Angus ________________________________ From: Ryan Slominski via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Sent: 15 January 2020 20:28 To: freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Ryan Slominski <ry...@jlab.org<mailto:ry...@jlab.org>> Subject: [Freeipa-users] Where is the "Audit" in IPA? Hi FreeIPA dudes, What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership. What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system? Thanks, Ryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221015988868&sdata=w3NQB%2FaTzl5iXKwqC8XGPEbl8th9fX00djWYQ%2BjQKAI%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221015998879&sdata=mvy%2Fgagxzz49ks3I4Ca3ThX3c2qIOS9JiRJTb1ufgIg%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221016008890&sdata=0UhO%2FarwWoXhquvrAY65CQIjb%2Fnq6OBPBcy6UEB8dqg%3D&reserved=0> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221016028900&sdata=1JMVCboRvIuQp5kgqwsS7IlmjTOPLIrvHEzb1ZpuJ4Q%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221016038911&sdata=xxtkeTJ0GG8%2FtOtGU3rdpVwvV0PhujuwZz%2FlkyuX7yo%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7C%7C5ebd6552c5f84a1be69b08d79a0591b4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637147221016048916&sdata=yEJ8BMnzjSGGehE%2B%2Bhf0tZShoJZTEjLYSVP3hflawnc%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
