[Freeipa-users] Centralized logging/audit - looking for use cases or experience

[Martin Kosek]

Hello list!

I have recently started investigating FreeIPA and centralized logging/audit,
capturing, processing and visualization of the logs centrally in an ELK
instance or similar.

This is a pretty loaded topic, audit/centralized log processing is a big task
beyond IPA itself, which is also one of the reasons why IPA does not have it's
A part yet... Before I go further in the investigation, I wanted to check with
you - admins and users of FreeIPA - what would you expect or what are your use
cases for the centralized logging/audit of FreeIPA?

So far, I had following use cases in mind:

* As Admin or Auditor, I want to see all calls to FreeIPA API so that I can
audit administrative changes to FreeIPA servers (source - apache log)

* As Security Administrator, I want to see all logins in the network so that I
can track both successful attempts for audit, but also failed attempts for
brute-force attack detection (source - audit log)

* As Network Administrator, I want to see replication status of all my FreeIPA
replicas so that I can amend the issue in a timely manner and avoid using
out-of-sync data (source - dirsrv errors log)

* As Infrastructure Administrator, I want to see broken AD Trusts so that I can
restore the functionality (source - correlation between different logs,
especially SSSD server mode logs)

Does this make sense to you? Or do you have any more use cases for centralized
FreeIPA logging/audit in mind? Or do you even have some infrastructure in place
that you would like to share?

Any feedback is highly welcome! Thanks for help.

-- 
Martin Kosek <mkosek at redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.