Thanks Mark and Florence for your replies!
I will check directory389 list to see if there is any useful information.
By turning on audit logging, we'd like to have a record of what was
changed, when and by whom. For example, we should be able to answer when
and who added the user XYZ. Unfortunately, IPA's audit logging isn't great
to serve that purpose, it provides information of what and when, not by
whom (modifiersname field is useless).
For others facing similar situations, I found filebeat does the track, it
can combine multiple lines of logs to a single line before forwarding the
logs, which is searchable.
Thanks.
Kathy.
On Wed, Jan 26, 2022 at 8:21 AM Mark Reynolds <mareynol(a)redhat.com> wrote:
The audit log is essentially just a list of LDIF commands. If you
remove
the "time" and "result" lines you can redirect the log straight to
ldapmodify:
time: 20220126111500
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
result: 0
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: 5001
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20220126161500Z
-
I'm not sure this log is worth "parsing" since it's just describing
the
exact changes made to the server, and I'm not sure there are that many any
useful "stats" that could be gained by parsing it. What exactly are you
hoping to get out of it?
Mark
On 1/26/22 11:05 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
You should try with 389-users(a)lists.fedoraproject.org
<
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...;,
other users may have found a solution to your problem.
flo
On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu <kzhu(a)nuro.ai> wrote:
> Yes, correct, Florence.
>
> BTW, Florence, I'd like to take this opportunity to let you know that I
> benefit from your blog, especially the one about certificates.
>
> Thanks!
>
> Kathy.
>
> On Fri, Jan 21, 2022 at 1:17 AM Florence Blanc-Renaud <flo(a)redhat.com>
> wrote:
>
>> Hi Kathy,
>> which log file are you referring to? 389-ds audit log in
>> /var/log/dirsrv/slapd-xxx/audit?
>>
>> flo
>>
>> On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> Hello list,
>>>
>>> I had FreeIPA audit log on. I feed audit logs to Graylog. Since there
>>> are multiple lines of logs for each event, I could not find a suitable
>>> extractor to parse the logs. Therefore, the logs are very hard to read.
>>> Could anyone in the list share how you process the logs if you are in a
>>> similar situation?
>>>
>>> Thanks!
>>>
>>> Kathy.
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it:
>>>
https://pagure.io/fedora-infrastructure
>>>
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team