I have recently started investigating FreeIPA and centralized logging/audit,
capturing, processing and visualization of the logs centrally in an ELK
instance or similar.
This is a pretty loaded topic, audit/centralized log processing is a big task
beyond IPA itself, which is also one of the reasons why IPA does not have it's
A part yet... Before I go further in the investigation, I wanted to check with
you - admins and users of FreeIPA - what would you expect or what are your use
cases for the centralized logging/audit of FreeIPA?
So far, I had following use cases in mind:
* As Admin or Auditor, I want to see all calls to FreeIPA API so that I can
audit administrative changes to FreeIPA servers (source - apache log)
* As Security Administrator, I want to see all logins in the network so that I
can track both successful attempts for audit, but also failed attempts for
brute-force attack detection (source - audit log)
* As Network Administrator, I want to see replication status of all my FreeIPA
replicas so that I can amend the issue in a timely manner and avoid using
out-of-sync data (source - dirsrv errors log)
* As Infrastructure Administrator, I want to see broken AD Trusts so that I can
restore the functionality (source - correlation between different logs,
especially SSSD server mode logs)
Does this make sense to you? Or do you have any more use cases for centralized
FreeIPA logging/audit in mind? Or do you even have some infrastructure in place
that you would like to share?
Any feedback is highly welcome! Thanks for help.
Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project