On 1/26/22 8:51 PM, Kathy Zhu via FreeIPA-users wrote:

Thanks both Rob and Mark for your replies! Take user creation as an example: 

in /var/log/httpd/error_log: 

via GUI -  what, when and who

via CLI - what, when and admin (since admin privilege is needed)

in /var/log/dirsrv/slapd-EXAMPLE-COM/audit: 

via GUI - what, when and who (dn of creatorsName and modifiersName)

via CLI - what, when and admin (dn of creatorsName and modifiersName) 

Above example shows that if the user is created via GUI, the audit information is good. If via CLI, "who" is admin instead. 

Inside audit log, the values of modifiersname are "Directory Manager", admin, "krbprincipalname=ldap/..." and so on, while I am looking for a particular user. 

in /var/log/dirsrv/slapd-EXAMPLE-COM/access log, there is a "conn" number associated with each line, I'd love to get the instruction how to enable "conn" number in audit log, I can use it find out "from where".

Sorry there is no way to do it yet.  It would be an RFE, and probably a new config attribute nsslapd-auditlog-level in Directory Server.  I can not promise how soon the feature will be implemented, but file the RFE here:  https://github.com/389ds/389-ds-base/issues/new/choose

Thanks,

Mark

Thanks. 

Kathy. 

On Wed, Jan 26, 2022 at 12:10 PM Mark Reynolds <mareynol@redhat.com> wrote:

On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote:

Thanks Mark and Florence for your replies! 

I will check directory389 list to see if there is any useful information. 

By turning on audit logging, we'd like to have a record of what was changed, when and by whom. For example, we should be able to answer when and who added the user XYZ.  Unfortunately, IPA's audit logging isn't great to serve that purpose, it provides information of what and when, not by whom (modifiersname field is useless).

Why is modifiersname useless?  It would be the Bind DN that performed the operation -> the "Who".  The LDAP server only knows of "who" by it's LDAP DN and there is no other value it could use.  The "What" is the "dn", and the "When" is the "time" stamp in the audit log entry. 

For the "Where", you would need to know the connection ID.  Then the access log could be parsed to find the IP address of the client.  Technically the conn ID could be added to the audit log, but changing the logging format is problematic as people are already parsing our logs and every time we change the format we get complaints.

Sorry I guess I still don't understand what is missing.  From my standpoint we already provide the Who, What, and When in the audit log (from the DS perspective).  Perhaps the specific info you want is not available in the LDAP server?

Mark

For others facing similar situations, I found filebeat does the track, it can combine multiple lines of logs to a single line before forwarding the logs, which is searchable. 

Thanks.

Kathy. 

On Wed, Jan 26, 2022 at 10:40 AM Rob Crittenden <rcritten@redhat.com> wrote:

Kathy Zhu via FreeIPA-users wrote:
> Thanks Mark and Florence for your replies! 
>
> I will check directory389 list to see if there is any useful information. 
>
> By turning on audit logging, we'd like to have a record of what was
> changed, when and by whom. For example, we should be able to answer when
> and who added the user XYZ.  Unfortunately, IPA's audit logging isn't
> great to serve that purpose, it provides information of what and when,
> not by whom (modifiersname field is useless).

The IPA audit log is the apache error log.

Adding a user you'll see something like:

[Wed Jan 26 13:38:57.762988 2022] [wsgi:error] [pid 1475984:tid 1476323]
[remote 192.168.166.203:46788] ipa: INFO: [jsonserver_session]
tuser@EXAMPLE.TEST: user_add/1('suser', givenname='some', sn='user',
version='2.245'): SUCCESS

So user tuser added user suser successfully today at 1:30pm.

rob
>
> For others facing similar situations, I found filebeat does the track,
> it can combine multiple lines of logs to a single line before forwarding
> the logs, which is searchable. 
>
> Thanks.
>
> Kathy. 

> 

On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <mareynol@redhat.com> wrote:

The audit log is essentially just a list of LDIF commands.  If you remove the "time" and "result" lines you can redirect the log straight to ldapmodify:

time: 20220126111500
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
result: 0
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 5001
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20220126161500Z
-

I'm not sure this log is worth "parsing" since it's just describing the exact changes made to the server, and I'm not sure there are that many any useful "stats" that could be gained by parsing it.  What exactly are you hoping to get out of it?

Mark

On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

Hi,

You should try with 389-users@lists.fedoraproject.org, other users may have found a solution to your problem.

flo

On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <kzhu@nuro.ai> wrote:

Yes, correct, Florence. 

BTW, Florence, I'd like to take this opportunity to let you know that I benefit from your blog, especially the one about certificates. 

Thanks!

Kathy. 

On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud <flo@redhat.com> wrote:

Hi Kathy,

which log file are you referring to? 389-ds audit log in /var/log/dirsrv/slapd-xxx/audit?

flo

On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hello list, 

I had FreeIPA audit log on. I feed audit logs to Graylog. Since there are multiple lines of logs for each event, I could not find a suitable extractor to parse the logs. Therefore, the logs are very hard to read. Could anyone in the list share how you process the logs if you are in a similar situation?

Thanks!

Kathy. 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- 
Directory Server Development Team

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- 
Directory Server Development Team

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- 
Directory Server Development Team