[Freeipa-devel] what about IPA operational logging?
Dmitri Pal
dpal at redhat.com
Fri Jun 12 18:28:53 UTC 2009
Hi,
In IPA we have kerberos logs, DS logs, web logs, CA logs etc.
They are all subsystem specific and disjoint. I think we need an IPA log
that will contain things like:
a) Object (meaning user, host, map, group, HBAC rule) was modified
(added/deleted/edited may be even viewed)
b) Certificate issued/revoked/refreshed
c) Entity authenticated
d) Password changed
e) Policy changed
f) Configuration changed
This is a much better feed than many low level logs. It can be
correlated with low level logs if needed but for system monitoring it is
best.
That means that we should start thinking about logging into one log from
all those components.
The ultimate goal will be to emit the ELAPI events and forward them
directly to the audit subsystem.
This is not for v2 but let us keep this in mind for v3.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list