2:32 a.m.
On ke, 29 elo 2018, Ludwig Krispenz via FreeIPA-users wrote:
On 08/29/2018 08:56 AM, Alexander Bokovoy via FreeIPA-users wrote:
>On ke, 29 elo 2018, Quan Zhou via FreeIPA-users wrote:
>>I have a similar question, should the audit logs be enabled on the
>>master
>>or replicas? If it's only enabled on replicas would the date be
>>consistent
>>with the actual date of change or just the "date" replication happens?
>Each IPA master/replica is standalone with regards to audit logging.
>There is no aggregation so if you need all details from everywhere, you
>should be configuring aggregation yourself.
since all changes are replicated in the end the audit logs on all
replicas should contain the same set of changes, but the order could
be different.
And there are some changes which are excluded from replication.
And you should be aware that the audit log contains the changes in the
order they are received and applied, but update resolution ensures
that the changes are effective in the order of their creation (tagged
by the csn).
Right. To add to that, httpd's error_log, krb5kdc.lo, kadmind.log
and
dogtag logs are not replicated and has to be aggregated manually. If you
want all IPA logs, some sort of a centralized log infrastructure would
be required.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland