[Freeipa-devel] FreeIPA Logging (Not Auditing... <yet>)

JR Aquino JR.Aquino at citrix.com
Fri Jan 28 02:36:30 UTC 2011 

I have been working with the project for a while now and it has dawned on me that the FreeIPA ipalib plugins, don't really have a syslog library that they output with.

So far I've really just been troubleshooting and getting around with:
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/dirsrv/slapd-DOMAIN/access
/var/log/dirsrv/slapd-DOMAIN/error

This is useful, but it is verbose and doesn't quite capture the cli/webui interactions in 1 line.

[27/Jan/2011:17:46:59 -0800] conn=40 op=7 ADD dn="fqdn=test1.example.com,cn=computers,cn=accounts,dc=example,dc=com"
[27/Jan/2011:17:46:59 -0800] conn=40 op=7 RESULT err=0 tag=105 nentries=0 etime=0

Etc, etc, etc…

The cli does a good job of expressing itself to standard out when a command is successfully/unsuccessfully run.

I am wondering what the group thinks about the idea of a library that can be loaded either by the api or the plugin itself, to pass the relevant bits of data that end up going to standard out, into a format that would be sane to send to a syslog stream.

I'm thinking of something that shows: <time/date> authenticated_user plugin usage / modification

Something like:
kinit admin
ipa host-add test1.example.com

<std out>
-----------------------------------
Added host "test1.example.com"
-----------------------------------
  Host name: test1.example.com
  Principal name: host/test1.example.com at EXAMPLE.COM
  Managed by: test1.example.com

<syslog>
Jan 26 17:46:45 auth1.example.com FreeIPA: user=admin cmd=host-add hostname=test1.example.com principal=host/test1.example.com at EXAMPLE.COM managedby=test1.example.com

It feels like a this should be fairly straight forward to address as a library at either the api level or at the plugin level. Python actually has a very competent syslog library <I helped to contribute the patch that brought tcp support>

What does everyone else think?

Am I thinking too simplistically? Is the output from standard out much more complex to lasso around? Is there a better approach to capturing the user input and interaction?

-JR

More information about the Freeipa-devel mailing list