> On 20 Aug 2024, at 08:16, Alexander Bokovoy <[email protected]> wrote:
>
> On Tue, 20 Aug 2024, Natxo Asenjo via FreeIPA-users wrote:
>> hi,
>>
>>
>> On Mon, Aug 19, 2024 at 6:33 PM Djerk Geurts via FreeIPA-users <
>> [email protected]> wrote:
>>
>>> Hi all,
>>>
>>> I’m following these instructions:
>>> https://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana
>>>
>>> To try and ingest IPA logs into Elasticsearch. And just found that the
>>> content of the grok filters (FWGROK and AUDITAVC) aren’t listed. Would
>>> anyone know where one might find these? A google search for these two terms
>>> yields only the listed page, which doesn’t provide their content.
>>>
>>
>> for FWGROK I could not find anything yet, but the other one you can find in
>> the archive, it seems:
>>
>> https://listman.redhat.com/archives/freeipa-users/2014-June/012100.html
>
> I think these are just ways of setting up matches for grok filters.
> The whole thing is described in
> https://www.freeipa.org/page/Centralized_Logging and heavily relies on
> the research that Peter Schiffer did a decade ago. His scripts and
> configurations are linked from the page and still available in the
> github repositories he provides:
>
> https://github.com/pschiffe/ipa-log-config -- configuration of the
> IPA servers and clients on RHEL7. It needs updates, obviously, but
> should have enough details.
>
> https://github.com/pschiffe/rsyslog-elasticsearch-kibana --
> pre-configured dashboards with elasticsearch and kibana.
>
> May be Peter could give more details? To me it looked like those rules
> for the firewall and auditd events were mostly coming out of logstash
> distribution from that period of time, maybe?
Quite true, thank you for the GitHub link. All these pages appear quite dated
and I’ll be happy to propose updates when I get things working on my servers.
Others must have working configs based on current IPA and Elastic versions, but
at least I’m learning a lot in trying to get proper logging in place.
I’ve since found both Duncan’s grok filters here:
https://gist.github.com/duncaninnes/cc54bc01ed45fcd77961
Now that I have the filters, I’m working through “_grokparsefailure” errors.
Which, as you suggest, is unsurprising since these articles were written a
decade ago.
Thanks,
Djerk Geurts
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
