I’ve thought about this a bit more. I think it would be useful if log entries showing
changes could be routed differently by syslog. The simplest would be to use a different
log level, e.g. NOTICE, where other things are INFO. Another approach would be to put a
specific tag in the try, e.g. AUDIT.
On Jan 15, 2020, at 5:20 PM, Angus Clarke
<post@angusclarke.com<mailto:post@angusclarke.com>> wrote:
Yeah, to find what I'm looking for I keep a list of grep examples, as auditors
generally ask for the same things! I modify httpd.conf to send ErrorLog messages to syslog
and then use syslog to send those to a server with cheap storage to keep a long history.
Regards
Angus
________________________________
From: Charles Hedrick <hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>>
Sent: 15 January 2020 22:54
To: FreeIPA users list
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Ryan Slominski <ryans@jlab.org<mailto:ryans@jlab.org>>; Angus Clarke
<post@angusclarke.com<mailto:post@angusclarke.com>>
Subject: Re: [Freeipa-users] Where is the "Audit" in IPA?
This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow
rapidly enough that it’s probably not practical to keep them for a long time. It might not
be hard to pull out just the things that make changes.
On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Just a note from a fellow user ...
Changes made through the API are logged via apache's ErrorLog directive, I've been
using this to some degree of success to answer 3rd party audit queries. However it does
miss things like "which groups was this user a member of when they were deleted"
though ... The facilities you are asking about sound excellent Ryan!
Regards
Angus
________________________________
From: Ryan Slominski via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Sent: 15 January 2020 20:28
To:
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: Ryan Slominski <ryans@jlab.org<mailto:ryans@jlab.org>>
Subject: [Freeipa-users] Where is the "Audit" in IPA?
Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to determine what
was the group membership of a particular group was at a particular point in time, say last
October? I noticed there is an audit log file (disabled by default), but that is going
to be a not-so-easy way to try to re-construct group membership at a point in time in the
past. I was hoping to just navigate to a "history" tab on the GUI, but no such
luck. Is this on anyone's todo list? I also noticed a "Centralized
Logging" webpage that suggest setting up an ELK stack, but that doesn't quite
provide snapshots of group membership.
What about the ability to subscribe to changes (as opposed to poll them)? I suppose the
replication features could be used somehow, but those are also polling based? Would be
nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this
is called a webhook. Any support for this kind of notification system?
Thanks,
Ryan
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.s...
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.s...
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...