[Freeipa-devel] Suggestion for the A part of IPA

Adam Young ayoung at redhat.com
Tue Apr 28 18:07:49 UTC 2015 

On 04/28/2015 11:58 AM, Innes, Duncan wrote:
> Folks,
> The A part of IPA has always been of great interest to me.  Our 
> current IPA infrastructure works well at the I & P parts, giving us 
> great failover abilities and connectivity through hardware firewalls 
> without punching too many holes.
> Whilst the A part may not be solely about centralised logging, it's 
> the thing I've been looking into recently.  To do this I've built a 
> setup around the ELK stack using a pair of Logstash servers and an 
> ElasticSearch cluster of 5 servers (overkill on the ES side perhaps, 
> but this is proof of concept still).  To expand on this, I've been 
> looking at running the Logstash serviceon each of our IPA servers as 
> that gives us a failover pair in each part of our network.  The 
> Logstash servers then connect to the ES cluster as non-data nodes. 
> Each client has an rsyslog7 (still using RHEL6 at the moment) config 
> that writes sends the logs in JSON format with some extra bespoke 
> fields added (such as Project, Environment, and Use to help us search 
> better).  The sending is done in rsyslog's rather clunky failover 
> method to the local pair of Logstash servers (with a third failover 
> being to /dev/null).
I think  I am in alignment with what you are saying.

I like  rsyslogd as the basic "ship the log off the server" tool. Let's 
use what the platform support first natively and formost;  We want 
something native, not Ruby, not even Python if we can avoid it, for the 
normal case.  Bumping up to logstash for more complex host-side rules 
might be fine.  Remember, the Hosts side of integration with FreeIPA is 
sssd.

Logstash can be the server side of the audit collection as well, and 
then it puts fewer demands on the server.

We need to ensure that the audit data can be sent over a GSSAPI 
protected pathway.


On the IPA side, I would think we would register the audit server as a 
host, and have  specific service entires for the protocols supported.


Would you see IPA owning the audit server, or just integrating in with 
an existing one?

I don't think the IPA server itself should be the ELK server for obvious 
reasons. I would love to see the ELK server supported along the lines of 
how we do a replica setup.



> It struck me that this kind of setup might not be too far removed from 
> some of the A part of IPA.
> I'm not good at ASCII flowchart diagrams, so will leave it there for 
> now.  The main point of this - does any of this idea sound reasonable 
> to add in to FreeIPA?  To me it sounds like a good fit for getting 
> (some) logging data back to a central point.
> The Logstash indexers currently have a very low load (perhaps due to 
> the incoming data already being JSON) and small memory footprint.  
> They run without issue on our IPA servers.  The ES nodes are different 
> and I won't pretent to be any sort of expert in what they do.  They 
> load up a bit when I shut 1 of them down, but that's the rebalancing 
> happening.
> Apologies if this is off topic, or wide of the mark.
> Cheers
> Duncan Innes
>
> This message has been checked for viruses and spam by the Virgin Money 
> email scanning system powered by Messagelabs.
>
> This e-mail is intended to be confidential to the recipient. If you 
> receive a copy in error, please inform the sender and then delete this 
> message.
>
> Virgin Money plc - Registered in England and Wales (Company no. 
> 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon 
> Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential 
> Regulation Authority and regulated by the Financial Conduct Authority 
> and the Prudential Regulation Authority.
>
> The following companies also trade as Virgin Money. They are both 
> authorised and regulated by the Financial Conduct Authority, are 
> registered in England and Wales and have their registered office at 
> Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money 
> Personal Financial Service Limited (Company no. 3072766) and Virgin 
> Money Unit Trust Managers Limited (Company no. 3000482).
>
> For further details of Virgin Money group companies please visit our 
> website at virginmoney.com
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150428/00ad0fdd/attachment.htm>

More information about the Freeipa-devel mailing list