<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/28/2015 11:58 AM, Innes, Duncan
wrote:<br>
</div>
<blockquote
cite="mid:56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.6001.23580">
<div><span class="548214115-28042015"><font face="Arial" size="2">Folks,</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">The
A part of IPA has always been of great interest to me. Our
current IPA infrastructure works well at the I & P
parts, giving us great failover abilities and connectivity
through hardware firewalls without punching too many holes.</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">Whilst
the A part may not be solely about centralised logging, it's
the thing I've been looking into recently. To do this I've
built a setup around the ELK stack using a pair of Logstash
servers and an ElasticSearch cluster of 5 servers (overkill
on the ES side perhaps, but this is proof of concept
still). To expand on this, I've been looking at running the
Logstash serviceon each of our IPA servers as that gives us
a failover pair in each part of our network. The Logstash
servers then connect to the ES cluster as non-data nodes.
Each client has an rsyslog7 (still using RHEL6 at the
moment) config that writes sends the logs in JSON format
with some extra bespoke fields added (such as Project,
Environment, and Use to help us search better). The sending
is done in rsyslog's rather clunky failover method to the
local pair of Logstash servers (with a third failover being
to /dev/null).</font></span></div>
</blockquote>
I think I am in alignment with what you are saying. <br>
<br>
I like rsyslogd as the basic "ship the log off the server" tool.
Let's use what the platform support first natively and formost; We
want something native, not Ruby, not even Python if we can avoid it,
for the normal case. Bumping up to logstash for more complex
host-side rules might be fine. Remember, the Hosts side of
integration with FreeIPA is sssd.<br>
<br>
Logstash can be the server side of the audit collection as well, and
then it puts fewer demands on the server.<br>
<br>
We need to ensure that the audit data can be sent over a GSSAPI
protected pathway. <br>
<br>
<br>
On the IPA side, I would think we would register the audit server as
a host, and have specific service entires for the protocols
supported. <br>
<br>
<br>
Would you see IPA owning the audit server, or just integrating in
with an existing one?<br>
<br>
I don't think the IPA server itself should be the ELK server for
obvious reasons. I would love to see the ELK server supported along
the lines of how we do a replica setup. <br>
<br>
<br>
<br>
<blockquote
cite="mid:56343345B145C043AE990701E3D193950478E5A4@EXVS2.nrplc.localnet"
type="cite">
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">It
struck me that this kind of setup might not be too far
removed from some of the A part of IPA.</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">I'm
not good at ASCII flowchart diagrams, so will leave it there
for now. The main point of this - does any of this idea
sound reasonable to add in to FreeIPA? To me it sounds like
a good fit for getting (some) logging data back to a central
point.</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">The
Logstash indexers currently have a very low load (perhaps
due to the incoming data already being JSON) and small
memory footprint. They run without issue on our IPA
servers. The ES nodes are different and I won't pretent to
be any sort of expert in what they do. They load up a bit
when I shut 1 of them down, but that's the rebalancing
happening.</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">Apologies
if this is off topic, or wide of the mark.</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">Cheers</font></span></div>
<div><span class="548214115-28042015"></span> </div>
<div><span class="548214115-28042015"><font face="Arial" size="2">Duncan
Innes</font></span></div>
<br clear="all">
This message has been checked for viruses and spam by the Virgin
Money email scanning system powered by Messagelabs.<br>
<br>
This e-mail is intended to be confidential to the recipient. If
you receive a copy in error, please inform the sender and then
delete this message.<br>
<br>
Virgin Money plc - Registered in England and Wales (Company no.
6952311). Registered office - Jubilee House, Gosforth, Newcastle
upon Tyne NE3 4PL. Virgin Money plc is authorised by the
Prudential Regulation Authority and regulated by the Financial
Conduct Authority and the Prudential Regulation Authority.<br>
<br>
The following companies also trade as Virgin Money. They are both
authorised and regulated by the Financial Conduct Authority, are
registered in England and Wales and have their registered office
at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin
Money Personal Financial Service Limited (Company no. 3072766) and
Virgin Money Unit Trust Managers Limited (Company no. 3000482).<br>
<br>
For further details of Virgin Money group companies please visit
our website at virginmoney.com<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>