Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership.
What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system?
Thanks,
Ryan
Just a note from a fellow user ...
Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though ... The facilities you are asking about sound excellent Ryan!
Regards Angus
________________________________ From: Ryan Slominski via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 15 January 2020 20:28 To: freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org Cc: Ryan Slominski ryans@jlab.org Subject: [Freeipa-users] Where is the "Audit" in IPA?
Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership.
What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system?
Thanks,
Ryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Most of our IPA activity occurs through a local web application. It logs all IPA commands that it issues. This includes creating user, managing groups, etc. I will say that this log has proven really useful. However it doesn’t capture IPA commands issued directly. It would be really great for the IPA server to log commands some format that’s fairly easy to make sense of.
On Jan 15, 2020, at 2:28 PM, Ryan Slominski via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership.
What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system?
Thanks,
Ryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Angus Clarke -
Charles Hedrick -
Ryan Slominski