[Freeipa-devel] FreeIPA Logging (Not Auditing... <yet>)
JR Aquino
JR.Aquino at citrix.com
Fri Jan 28 02:36:30 UTC 2011
I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with.
So far I've really just been troubleshooting and getting around with:
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/dirsrv/slapd-DOMAIN/access
/var/log/dirsrv/slapd-DOMAIN/error
This is useful, but it is verbose and doesn't quite capture the cli/webui interactions in 1 line.
[27/Jan/2011:17:46:59 -0800] conn=40 op=7 ADD dn="fqdn=test1.example.com,cn=computers,cn=accounts,dc=example,dc=com"
[27/Jan/2011:17:46:59 -0800] conn=40 op=7 RESULT err=0 tag=105 nentries=0 etime=0
Etc, etc, etc…
The cli does a good job of expressing itself to standard out when a command is successfully/unsuccessfully run.
I am wondering what the group thinks about the idea of a library that can be loaded either by the api or the plugin itself, to pass the relevant bits of data that end up going to standard out, into a format that would be sane to send to a syslog stream.
I'm thinking of something that shows: <time/date> authenticated_user plugin usage / modification
Something like:
kinit admin
ipa host-add test1.example.com
<std out>
-----------------------------------
Added host "test1.example.com"
-----------------------------------
Host name: test1.example.com
Principal name: host/test1.example.com at EXAMPLE.COM
Managed by: test1.example.com
<syslog>
Jan 26 17:46:45 auth1.example.com FreeIPA: user=admin cmd=host-add hostname=test1.example.com principal=host/test1.example.com at EXAMPLE.COM managedby=test1.example.com
It feels like a this should be fairly straight forward to address as a library at either the api level or at the plugin level. Python actually has a very competent syslog library <I helped to contribute the patch that brought tcp support>
What does everyone else think?
Am I thinking too simplistically? Is the output from standard out much more complex to lasso around? Is there a better approach to capturing the user input and interaction?
-JR
More information about the Freeipa-devel
mailing list