Centralized_Logging#
Motivation#
When a system grows to multiple hosts, managing the logs and accessing them can get complicated. Searching for a particular error across hundreds of log files on hundreds of servers is difficult without good tools. FreeIPA currently does not have documentation or even own tools how to set up the infrastructure and it is being solved separately by each FreeIPA user. This page summarizes the efforts and development of a Centralized Logging solution in/for FreeIPA that would close that gap.
FreeIPA is a security related project, usually a backbone of the infrastructure. Tracking, audit or analysis of the logs of the FreeIPA server behavior and related FreeIPA user behavior is useful as it allows detecting problems in time before they grow in even bigger problems (e.g., replication errors) or helps detecting attacks, misbehavior or simply configuration problems in the infrastructure and amending them.
FreeIPA logs#
FreeIPA server itself is not a monolithic application, but rather compound of selected open source projects creating a solution for identity management. This makes log collection, processing and aggregation a challenge as each project have own way and technology how to structure and produce logs. This applies both for FreeIPA server and it’s many services, but also for FreeIPA clients, where different information lies in different logs (SSSD log, audit log).
Use Cases#
Before designing a particular solution, basic use cases and intents of what logs will be used and how should be defined. Currently, following set of use cases is tracked:
As Admin or Auditor, I want to see all calls to FreeIPA API so that I can audit administrative changes to FreeIPA server (for instance: who added user “foo”? Who revoked a certificate and when?)
As Auditor, I want to see all logins attempts for meeting security requirements and forensic analysis
As Security Administrator, I want to visualize failed login attempts to brute-force attack
As Admin, I want to see replication status of all my FreeIPA replicas so that I can amend the issue in a timely manner to avoid replication conflicts or out-of-sync data (I want my login to work on all servers)
As Admin, I want to identify AD interoperability problems on FreeIPA server (example: SSSD on the FreeIPA server cannot talk to the Active Directory server and thus resolve groups)
As Admin, I want to see load of Kerberos and LDAP server to be able to compare the load on the FreeIPA servers (and for example identify badly configured DNS SRV records or clients always calling the same server), network problems (some servers may not be reachable by most clients and have thus very small load) or simply by some of the services not running.
Proposed Solution#
The centralized log collection problem has 2 basic parts:
Selecting and configuring the right centralized server that will collect, process, annotate and visualize the logs
Configuring the actual machines (FreeIPA servers or clients) to send the interesting logs to the centralized server and selecting proper and secure transport for the logs.
Centralized Logging Server#
Currently, the most used and advanced open source solutions are the centralized servers based on Elasticsearch for data storage and searches, rsyslog/logstash/fluentd for log reception and processing and Kibana for data display and dashboards (commonly referred to as REK, ELK servers based on the log receiving part).
Currently proposed solution chosen rsyslog
. The server is packaged
as Docker
image.
See the Docker Hub
Registry
or respective github
repo for
details how to download and run the preconfigured REK server.
Log Gathering and Transport#
To meet the defined use cases, at least following logs have to be gathered from the FreeIPA server:
/var/log/httpd/error_log
: FreeIPA API call logs (and Apache errors)/var/log/krb5kdc.log
: FreeIPA KDC utilization/var/log/dirsrv/slapd-$REALM/access
: Directory Server utilization/var/log/dirsrv/slapd-$REALM/errors
: Directory Server errors (including mentioned replication errors)/var/log/pki/pki-tomcat/ca/transactions
: FreeIPA PKI transactions/logs
/var/log/sssd/*.log
: SSSD logs (multiple, for all tracked logs)/var/log/audit/audit.log
: user login attempts/var/log/secure
: reasons why user login failed
Results#
Current the proof of concept project contains:
Aforementioned CentOS-7 based REK server for log collection (Docker image)
Set of preconfigured Kibana dashboards visualizing different logs in readable graphs. See the next subsection for details. (Kibana dashboards and searches)
Basic log message filtering rules for the
rsyslog
on the server, turning the log messages into structured logs that are searchable in Kibana (rsyslog rules)Script to configure rsyslog-based log transmission on the FreeIPA servers and clients (github page)
Dashboards#
User Logins: User login attempts and their results across FreeIPA domain, most-logged-to hosts
IPA Server Administration: Administrative API usage on the FreeIPA servers
IPA Server Utilization: Kerberos/LDAP protocol utilization across FreeIPA servers
IPA Server Health: Replication errors, server SSSD errors
SSSD: selected client SSSD errors (dashboard still in progress)
Demo of the Kibana Dashboards#
{{#ev:youtube|7YjA6z5nE0I|640|center}}
Other Resources#
Howto/Centralised Logging with Logstash/ElasticSearch/Kibana - user provided HowTo on configuring the ELK