On Tue, 20 Aug 2024, Djerk Geurts wrote:
On 20 Aug 2024, at 08:16, Alexander Bokovoy <[email protected]> wrote:
On Tue, 20 Aug 2024, Natxo Asenjo via FreeIPA-users wrote:
hi,
On Mon, Aug 19, 2024 at 6:33 PM Djerk Geurts via FreeIPA-users <
[email protected]> wrote:
Hi all,
I’m following these instructions:
https://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana
To try and ingest IPA logs into Elasticsearch. And just found that the
content of the grok filters (FWGROK and AUDITAVC) aren’t listed. Would
anyone know where one might find these? A google search for these two terms
yields only the listed page, which doesn’t provide their content.
for FWGROK I could not find anything yet, but the other one you can find in
the archive, it seems:
https://listman.redhat.com/archives/freeipa-users/2014-June/012100.html
I think these are just ways of setting up matches for grok filters.
The whole thing is described in
https://www.freeipa.org/page/Centralized_Logging and heavily relies on
the research that Peter Schiffer did a decade ago. His scripts and
configurations are linked from the page and still available in the
github repositories he provides:
https://github.com/pschiffe/ipa-log-config -- configuration of the
IPA servers and clients on RHEL7. It needs updates, obviously, but
should have enough details.
https://github.com/pschiffe/rsyslog-elasticsearch-kibana --
pre-configured dashboards with elasticsearch and kibana.
May be Peter could give more details? To me it looked like those rules
for the firewall and auditd events were mostly coming out of logstash
distribution from that period of time, maybe?
Quite true, thank you for the GitHub link. All these pages appear quite
dated and I’ll be happy to propose updates when I get things working on
my servers. Others must have working configs based on current IPA and
Elastic versions, but at least I’m learning a lot in trying to get
proper logging in place.
I’ve since found both Duncan’s grok filters here:
https://gist.github.com/duncaninnes/cc54bc01ed45fcd77961
Now that I have the filters, I’m working through “_grokparsefailure”
errors. Which, as you suggest, is unsurprising since these articles
were written a decade ago.
Glad to hear you've got a progress!
Once you are ready to submit updates, they can be done as pull requests
to https://github.com/freeipa/freeipa.github.io. The specific pages are
https://github.com/freeipa/freeipa.github.io/blob/main/src/page/Centralized_Logging.rst
and
https://github.com/freeipa/freeipa.github.io/blob/main/src/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana.rst
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
