Thanks both Rob and Mark for your replies! Take user creation as an
example:
in /var/log/httpd/error_log:
via GUI - what, when and who
via CLI - what, when and admin (since admin privilege is needed)
in /var/log/dirsrv/slapd-EXAMPLE-COM/audit:
via GUI - what, when and who (dn of creatorsName and modifiersName)
via CLI - what, when and admin (dn of creatorsName and modifiersName)
Above example shows that if the user is created via GUI, the audit
information is good. If via CLI, "who" is admin instead.
Inside audit log, the values of modifiersname are "Directory Manager",
admin, "krbprincipalname=ldap/..." and so on, while I am looking for a
particular user.
in /var/log/dirsrv/slapd-EXAMPLE-COM/access log, there is a "conn" number
associated with each line, I'd love to get the instruction how to enable
"conn" number in audit log, I can use it find out "from where". Could
you
help please?
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 12:10 PM Mark Reynolds <mareynol(a)redhat.com> wrote:
On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote:
Thanks Mark and Florence for your replies!
I will check directory389 list to see if there is any useful information.
By turning on audit logging, we'd like to have a record of what was
changed, when and by whom. For example, we should be able to answer when
and who added the user XYZ. Unfortunately, IPA's audit logging isn't great
to serve that purpose, it provides information of what and when, not by
whom (modifiersname field is useless).
Why is modifiersname useless? It would be the Bind DN that performed the
operation -> the "Who". The LDAP server only knows of "who" by
it's LDAP
DN and there is no other value it could use. The "What" is the "dn",
and
the "When" is the "time" stamp in the audit log entry.
For the "Where", you would need to know the connection ID. Then the
access log could be parsed to find the IP address of the client.
Technically the conn ID could be added to the audit log, but changing the
logging format is problematic as people are already parsing our logs and
every time we change the format we get complaints.
Sorry I guess I still don't understand what is missing. From my
standpoint we already provide the Who, What, and When in the audit log
(from the DS perspective). Perhaps the specific info you want is not
available in the LDAP server?
Mark
For others facing similar situations, I found filebeat does the track, it
can combine multiple lines of logs to a single line before forwarding the
logs, which is searchable.
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 10:40 AM Rob Crittenden <rcritten(a)redhat.com>
wrote:
Kathy Zhu via FreeIPA-users wrote:
Thanks Mark and Florence for your replies!
I will check directory389 list to see if there is any useful information.
By turning on audit logging, we'd like to have a record of what was
changed, when and by whom. For example, we should be able to answer when
and who added the user XYZ. Unfortunately, IPA's audit logging isn't
great to serve that purpose, it provides information of what and when,
not by whom (modifiersname field is useless).
The IPA audit log is the apache error log.
Adding a user you'll see something like:
[Wed Jan 26 13:38:57.762988 2022] [wsgi:error] [pid 1475984:tid 1476323]
[remote 192.168.166.203:46788] ipa: INFO: [jsonserver_session]
tuser(a)EXAMPLE.TEST: user_add/1('suser', givenname='some',
sn='user',
version='2.245'): SUCCESS
So user tuser added user suser successfully today at 1:30pm.
rob
For others facing similar situations, I found filebeat does the track,
it can combine multiple lines of logs to a single line before forwarding
the logs, which is searchable.
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <mareynol(a)redhat.com> wrote:
> The audit log is essentially just a list of LDIF commands. If you remove
> the "time" and "result" lines you can redirect the log straight
to
> ldapmodify:
>
>
> time: 20220126111500
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> result: 0
> changetype: modify
> replace: nsslapd-lookthroughlimit
> nsslapd-lookthroughlimit: 5001
> -
> replace: modifiersname
> modifiersname: cn=dm
> -
> replace: modifytimestamp
> modifytimestamp: 20220126161500Z
> -
>
>
> I'm not sure this log is worth "parsing" since it's just describing
the
> exact changes made to the server, and I'm not sure there are that many any
> useful "stats" that could be gained by parsing it. What exactly are you
> hoping to get out of it?
>
> Mark
> On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
>
> Hi,
> You should try with 389-users(a)lists.fedoraproject.org
>
<
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...;,
> other users may have found a solution to your problem.
> flo
>
> On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <kzhu(a)nuro.ai> wrote:
>
>> Yes, correct, Florence.
>>
>> BTW, Florence, I'd like to take this opportunity to let you know that I
>> benefit from your blog, especially the one about certificates.
>>
>> Thanks!
>>
>> Kathy.
>>
>> On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud <flo(a)redhat.com>
>> wrote:
>>
>>> Hi Kathy,
>>> which log file are you referring to? 389-ds audit log in
>>> /var/log/dirsrv/slapd-xxx/audit?
>>>
>>> flo
>>>
>>> On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users <
>>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>>
>>>> Hello list,
>>>>
>>>> I had FreeIPA audit log on. I feed audit logs to Graylog. Since there
>>>> are multiple lines of logs for each event, I could not find a suitable
>>>> extractor to parse the logs. Therefore, the logs are very hard to read.
>>>> Could anyone in the list share how you process the logs if you are in a
>>>> similar situation?
>>>>
>>>> Thanks!
>>>>
>>>> Kathy.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> Do not reply to spam on the list, report it:
>>>>
https://pagure.io/fedora-infrastructure
>>>>
>>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>
> --
> Directory Server Development Team
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team