[Freeipa-users] Re: FreeIPA logging grok filters

Mon, 19 Aug 2024 23:16:17 -0700 

On Tue, 20 Aug 2024, Natxo Asenjo via FreeIPA-users wrote:

hi,


On Mon, Aug 19, 2024 at 6:33 PM Djerk Geurts via FreeIPA-users <
[email protected]> wrote:


Hi all,

I’m following these instructions:
https://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana

To try and ingest IPA logs into Elasticsearch. And just found that the
content of the grok filters (FWGROK and AUDITAVC) aren’t listed. Would
anyone know where one might find these? A google search for these two terms
yields only the listed page, which doesn’t provide their content.



for FWGROK I could not find anything yet, but the other one you can find in
the archive, it seems:

https://listman.redhat.com/archives/freeipa-users/2014-June/012100.html
I think these are just ways of setting up matches for grok filters. 
The whole thing is described in
https://www.freeipa.org/page/Centralized_Logging and heavily relies on
the research that Peter Schiffer did a decade ago. His scripts and
configurations are linked from the page and still available in the
github repositories he provides:

https://github.com/pschiffe/ipa-log-config -- configuration of the
IPA servers and clients on RHEL7. It needs updates, obviously, but
should have enough details.

https://github.com/pschiffe/rsyslog-elasticsearch-kibana --
pre-configured dashboards with elasticsearch and kibana.

May be Peter could give more details? To me it looked like those rules
for the firewall and auditd events were mostly coming out of logstash
distribution from that period of time, maybe?





--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to