On 1/26/22 8:51 PM, Kathy Zhu via FreeIPA-users wrote:
Thanks both Rob and Mark for your replies! Take user creation as an
example:
in /var/log/httpd/error_log:
via GUI - what, when and who
via CLI - what, when and admin (since admin privilege is needed)
in /var/log/dirsrv/slapd-EXAMPLE-COM/audit:
via GUI - what, when and who (dn of creatorsName and modifiersName)
via CLI - what, when and admin (dn of creatorsName and modifiersName)
Above example shows that if the user is created via GUI, the audit
information is good. If via CLI, "who" is admin instead.
Inside audit log, the values of modifiersname are "Directory Manager",
admin, "krbprincipalname=ldap/..." and so on, while I am looking for a
particular user.
in /var/log/dirsrv/slapd-EXAMPLE-COM/access log, there is a "conn"
number associated with each line, I'd love to get the instruction how
to enable "conn" number in audit log, I can use it find out "from where".
Sorry there is no way to do it yet. It would be an RFE, and probably a
new config attribute nsslapd-auditlog-level in Directory Server. I can
not promise how soon the feature will be implemented, but file the RFE
here: https://github.com/389ds/389-ds-base/issues/new/choose
Thanks,
Mark
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 12:10 PM Mark Reynolds <[email protected]>
wrote:
On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote:
Thanks Mark and Florence for your replies!
I will check directory389 list to see if there is any useful
information.
By turning on audit logging, we'd like to have a record of what
was changed, when and by whom. For example, we should be able to
answer when and who added the user XYZ. Unfortunately, IPA's
audit logging isn't great to serve that purpose, it provides
information of what and when, not by whom (modifiersname field is
useless).
Why is modifiersname useless? It would be the Bind DN that
performed the operation -> the "Who". The LDAP server only knows
of "who" by it's LDAP DN and there is no other value it could
use. The "What" is the "dn", and the "When" is the "time" stamp
in the audit log entry.
For the "Where", you would need to know the connection ID. Then
the access log could be parsed to find the IP address of the
client. Technically the conn ID could be added to the audit log,
but changing the logging format is problematic as people are
already parsing our logs and every time we change the format we
get complaints.
Sorry I guess I still don't understand what is missing. From my
standpoint we already provide the Who, What, and When in the audit
log (from the DS perspective). Perhaps the specific info you want
is not available in the LDAP server?
Mark
For others facing similar situations, I found filebeat does the
track, it can combine multiple lines of logs to a single line
before forwarding the logs, which is searchable.
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 10:40 AM Rob Crittenden <[email protected]>
wrote:
Kathy Zhu via FreeIPA-users wrote:
> Thanks Mark and Florence for your replies!
>
> I will check directory389 list to see if there is any useful
information.
>
> By turning on audit logging, we'd like to have a record of what was
> changed, when and by whom. For example, we should be able to answer when
> and who added the user XYZ. Unfortunately, IPA's audit logging isn't
> great to serve that purpose, it provides information of what and when,
> not by whom (modifiersname field is useless).
The IPA audit log is the apache error log.
Adding a user you'll see something like:
[Wed Jan 26 13:38:57.762988 2022] [wsgi:error] [pid 1475984:tid 1476323]
[remote 192.168.166.203:46788 <http://192.168.166.203:46788/>] ipa:
INFO: [jsonserver_session]
[email protected]: user_add/1('suser', givenname='some', sn='user',
version='2.245'): SUCCESS
So user tuser added user suser successfully today at 1:30pm.
rob
>
> For others facing similar situations, I found filebeat does the track,
> it can combine multiple lines of logs to a single line before forwarding
> the logs, which is searchable.
>
> Thanks.
>
> Kathy.
>
On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds
<[email protected]> wrote:
The audit log is essentially just a list of LDIF commands.
If you remove the "time" and "result" lines you can redirect
the log straight to ldapmodify:
time: 20220126111500
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
result: 0
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 5001
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20220126161500Z
-
I'm not sure this log is worth "parsing" since it's just
describing the exact changes made to the server, and I'm not
sure there are that many any useful "stats" that could be
gained by parsing it. What exactly are you hoping to get out
of it?
Mark
On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users
wrote:
Hi,
You should try with [email protected]
<https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.org>,
other users may have found a solution to your problem.
flo
On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <[email protected]> wrote:
Yes, correct, Florence.
BTW, Florence, I'd like to take this opportunity to let
you know that I benefit from your blog, especially the
one about certificates.
Thanks!
Kathy.
On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud
<[email protected]> wrote:
Hi Kathy,
which log file are you referring to? 389-ds audit
log in /var/log/dirsrv/slapd-xxx/audit?
flo
On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via
FreeIPA-users <[email protected]>
wrote:
Hello list,
I had FreeIPA audit log on. I feed audit logs to
Graylog. Since there are multiple lines of logs
for each event, I could not find a suitable
extractor to parse the logs. Therefore, the logs
are very hard to read. Could anyone in the list
share how you process the logs if you are in a
similar situation?
Thanks!
Kathy.
_______________________________________________
FreeIPA-users mailing list --
[email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list [email protected]
To unsubscribe send an email
[email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list [email protected]
To unsubscribe send an email [email protected]
Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
