On 09/01/2014 09:08 AM, alireza baghery wrote:
activity that users perform on client (ipa client)

There are several parts:
1) Authentication. If the authentication happens using kerberos which is the default ipa-client configuration then you will see the authentication attempts in the KDC logs on the server. If the system is offline and you enabled offline authentication the authentication will happen on the client side without contacting the server so the sssd logs will reflect this activity. 2) Identity lookups are trickier. SSSD will fetch and cache information about different identity objects and serve and refresh them following different configuration rules and timeouts. So SSSD logs will give you the full picture of the local activity. 3) SUDO - look at the sudo logs on the client as the client just fetches data to make a policy decision but the actual decision is made on the client based on what the user wants to do and what central policies say about it. 4) If you want to capture what the user is actually typing you need to use something like a keystroke logger. Then you would know what the user actually did.

To get then a consolidated and correlated picture you need to aggregate logs from different systems and process them. There are good open source solutions like Logstash or commertial like Splunk to process logs centrally.

HTH

Thanks
Dmitri



On Mon, Sep 1, 2014 at 11:12 AM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 09/01/2014 08:29 AM, alireza baghery wrote:
    hi
    i have configured ipa (ipa on centos 6.5) but the problesm is i
    dont know where the logs activity users stored?
    i meens logs activity users must stored in ipa server, but where?
    thanks every body



    Which activity you are looking for?
    The administrating activity will be stored in the apache httpd
    logs, authentication activity will be stored in Kerberos logs, DS
    binds and changes will be stored in the DS logs, etc.. There is no
    consolidated logging yet. There are plans to normalize components
    to start logging into journald but this will take some time to
    materialize.

-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to