[Freeipa-users] Central Logging For all FreeIPA components

Tue May 28 18:38:06 UTC 2013

On 05/27/2013 08:38 PM, Aly Khimji wrote:
> Hey Guys,
>

Hello Aly,

You are touching on the areas that are dear to our interests too.
Unfortunately we have not had time to do the research.
What you are asking about should be possible but have not been tried by
us, at least we are not aware.

Here are some thoughts:
1. It should be possible to configure rsyslog to process logs emitted by
other applications (389, Dogtag, MIT KDC, httpd etc.). You need to
research the documentation on how to do it by Rainer (farther of
rsyslog) assured that it is possible.
2. Issue (or use exiting) kerberos principal for the GSS API to secure
rsyslog to rsyslog communication. I know of one deployment that planned
to do it but I do not know the results.
http://www.rsyslog.com/doc/gssapi.html
3. Use GSS proxy to do rsyslog to rsyslog communication so that the
tickets acquired and renewed as needed.
I think to do this you need to install gss-proxy package and add couple
env vars to the rsyslog systemd profile:

|GSS_USE_PROXY=1
GSSPROXY_BEHAVIOR=REMOTE_FIRST

|

||There is not much documentation about GSS proxy so do not hesitate to ask.
https://fedorahosted.org/gss-proxy/

(Honza, Gunther, please add any other pointers)
||
4. Use logstash with grok and elastic search at the end point to process
the logs and provide a nice correlation tool.

http://logstash.net/

5. Come back with your findings :-)

Thanks
Dmitri

> Quick question, is it possible to have all components of FreeIPA send
> logs to a central log source, or even better to the FreeIPA's local
> rsyslogd and then I will have rsyslod send all logs to a central
> logging server?
>
> As per the link, each component logs to a separate location 
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html
>
> 16.1.3. Checking FreeIPA Server Logs
> FreeIPA unifies several different Linux services, so it relies on
> those services' native logs for tracking and debugging those
> services. The other services (Apache, 389 Directory Server, and Dogtag
> Certificate System) all have detailed logs and log levels. 
>
> Just wondering as its for audit purposes and will be sent to a
> centeral logger/alerter.
>
> Thanks
>
> Aly
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130528/bb0cd01e/attachment.htm>