[Freeipa-users] Setting up IPA to log remotely

Innes, Duncan Duncan.Innes at virginmoney.com
Tue Jun 3 08:37:58 UTC 2014 

I'm starting to log IPA to a central point too.  I'd hoped the A part of
IPA would have arrived, but other functionality has pushed it down the
priority list.  Would be good to see it arrive as something integrated
with systemd/journald with fully separated log fields instead of a
simple log text line.

For now, rsyslog does a decent job of sending the logs over the network
and I'm using logstash to parse logs and pop them into elasticsearch for
analysing via Kibana.  I've had most trouble with the rsyslog side of
things, but that's because I tried to get rsyslog to send in JSON format
rather than plain text.  Once I reigned in my ambition, it proved to be
somewhat easier -

All I've added to RHEL6 client is a file /etc/rsyslog.d/logstash.conf
with contents:

*.* @logstash.example.com:5544

and (firewalls permitting) my logs end up at the logstash server for
parsing.

Duncan

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Brendan Kearney
> Sent: 03 June 2014 03:26
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Setting up IPA to log remotely
> 
> On Tue, 2014-06-03 at 00:42 +0000, Steven Jones wrote:
> > Hi,
> > 
> > I'll raise a request for this to be added then.
> > 
> > Its a bit of an enterprise requirement feature that is of 
> use for us.
> > 
> > Not having much luck with rsyslog and application logs at 
> the moment, good and accurate docs seem lacking for RHEL6.
> > 
> > regards
> > 
> > Steven
> > ________________________________________
> > From: Rob Crittenden <rcritten at redhat.com>
> > Sent: Tuesday, 3 June 2014 9:27 a.m.
> > To: Steven Jones
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Setting up IPA to log remotely
> > 
> > Steven Jones wrote:
> > > Is there a way to get IPA to send its logs remotely?
> > 
> > We intend to do something like this with audit, most likely 
> using the 
> > systemd journal, but it's a ways off.
> > 
> > For now you'd need to do it manually on a per-service basis. I'd 
> > suggest looking at rsyslogd. You should be able to at least get the 
> > Apache and 389-ds logs using that.
> > 
> > rob
> > 
> > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> check out http://www.rsyslog.com/doc/master/index.html for 
> good and accurate docs.  i am using fedora 16 and 20 with 
> RELP, fowarding syslog from everywhere to a central location, 
> and then dumping the logs into mysql.  phplogcon bolts on top 
> of it for a web view of all the logs.
> 
> on a sending source:
> $ModLoad imuxsock # provides support for local system logging 
> (e.g. via logger command) $SystemLogRateLimitInterval 0 
> $IMUXSockRateLimitInterval 0
> 
> $ModLoad imklog   # provides kernel logging support 
> (previously done by
> rklogd)
> #$ModLoad immark  # provides --MARK-- message capability
> 
> # Provides UDP syslog reception
> $ModLoad imudp
> $UDPServerRun 514
> 
> # Provides TCP syslog reception
> $ModLoad imtcp
> $InputTCPServerRun 514
> 
> # Provides RELP transmission
> $ModLoad omrelp
> *.* :omrelp:192.168.25.1:20514;RSYSLOG_ForwardFormat
> &~
> 
> on a receiving destination:
> $ModLoad imuxsock # provides support for local system logging 
> (e.g. via logger command) $SystemLogRateLimitInterval 0 
> $IMUXSockRateLimitInterval 0
> 
> $ModLoad imklog   # provides kernel logging support 
> (previously done by
> rklogd)
> #$ModLoad immark  # provides --MARK-- message capability
> 
> # Provides UDP syslog reception
> $ModLoad imudp
> $UDPServerRun 514
> 
> # Provides TCP syslog reception
> $ModLoad imtcp
> $InputTCPServerRun 514
> 
> # Provides RELP reception
> $ModLoad imrelp
> $InputRELPServerRun 20514
> 
> # Provides MySQL connectivity
> $ModLoad ommysql
> # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING 
> $WorkDirectory /var/spool/rsyslog # default location for work 
> (spool) files $ActionQueueType LinkedList # use asynchronous 
> processing
> $ActionQueueFileName dbq    # set file name, also enables disk mode
> $ActionResumeRetryCount -1  # infinite retries on insert 
> failure # for PostgreSQL replace :ommysql: by :ompgsql: below:
> *.*     :ommysql:server.domain.tld,Syslog,user,password
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> This message has been checked for viruses and spam by the 
> Virgin Money email scanning system powered by Messagelabs.
> 

This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at virginmoney.com

More information about the Freeipa-users mailing list