[Freeipa-devel] what about IPA operational logging?
Rob Crittenden
rcritten at redhat.com
Mon Jun 15 18:56:56 UTC 2009
Dmitri Pal wrote:
> Hi,
>
> In IPA we have kerberos logs, DS logs, web logs, CA logs etc.
> They are all subsystem specific and disjoint. I think we need an IPA log
> that will contain things like:
>
> a) Object (meaning user, host, map, group, HBAC rule) was modified
> (added/deleted/edited may be even viewed)
> b) Certificate issued/revoked/refreshed
> c) Entity authenticated
> d) Password changed
> e) Policy changed
> f) Configuration changed
>
> This is a much better feed than many low level logs. It can be
> correlated with low level logs if needed but for system monitoring it is
> best.
>
> That means that we should start thinking about logging into one log from
> all those components.
> The ultimate goal will be to emit the ELAPI events and forward them
> directly to the audit subsystem.
> This is not for v2 but let us keep this in mind for v3.
>
The IPA server logs to the Apache server logs. We do some limited
reporting presently, mostly for debugging purposes but it can tell you
what functions were called and with what arguments. We can customize
that for audit logging as needed.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090615/cb81d300/attachment.bin>
More information about the Freeipa-devel
mailing list