├── Dockerfile ├── LICENSE ├── README.md ├── doc └── images │ ├── ipa-server-administration.png │ ├── ipa-server-health.png │ ├── ipa-server-utilization.png │ ├── sssd.png │ └── user-logins.png ├── elasticsearch ├── elasticsearch.repo ├── logging.yml └── logstash-template.json ├── kibana ├── config-base.json ├── config-dashboards.json ├── config-searches.json ├── config-visualizations.json └── kibana.sh ├── rsyslog ├── 00_normalize.conf ├── 10_elasticsearch.conf ├── rsyslog-copr.repo ├── rsyslog.conf ├── rules-audit.rb ├── rules-authpriv.rb ├── rules-httpderror.rb ├── rules-ipa-389-access.rb ├── rules-ipa-389-errors.rb ├── rules-krb5-kdc.rb └── rules-sssd.rb └── supervisor ├── elasticsearch.ini ├── firstrun.ini ├── firstrun.sh ├── kibana.ini ├── rsyslog.ini └── supervisord.conf /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | MAINTAINER "Peter Schiffer" 3 | 4 | COPY rsyslog/rsyslog-copr.repo /etc/yum.repos.d/rsyslog-copr.repo 5 | COPY elasticsearch/elasticsearch.repo /etc/yum.repos.d/elasticsearch.repo 6 | 7 | RUN rpm --import https://packages.elasticsearch.org/GPG-KEY-elasticsearch 8 | 9 | RUN yum -y --setopt=tsflags=nodocs upgrade \ 10 | && yum -y --setopt=tsflags=nodocs install epel-release \ 11 | && yum -y --setopt=tsflags=nodocs install \ 12 | tar \ 13 | supervisor \ 14 | rsyslog \ 15 | rsyslog-mmnormalize \ 16 | rsyslog-elasticsearch \ 17 | java-1.8.0-openjdk-headless \ 18 | elasticsearch \ 19 | && yum -y clean all # Mon Jun 8 18:11:27 UTC 2015 20 | 21 | RUN mkdir -p /opt/kibana \ 22 | && curl -sSL https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz \ 23 | | tar -xzC /opt/kibana --strip 1 \ 24 | && chown -R root: /opt/kibana 25 | 26 | COPY supervisor/supervisord.conf /etc/supervisord.conf 27 | COPY supervisor/rsyslog.ini /etc/supervisord.d/rsyslog.ini 28 | COPY supervisor/elasticsearch.ini /etc/supervisord.d/elasticsearch.ini 29 | COPY supervisor/kibana.ini /etc/supervisord.d/kibana.ini 30 | COPY supervisor/firstrun.ini /etc/supervisord.d/firstrun.ini 31 | 32 | COPY supervisor/firstrun.sh /root/.firstrun/firstrun.sh 33 | RUN chmod u+x /root/.firstrun/firstrun.sh 34 | 35 | COPY rsyslog/rsyslog.conf /etc/rsyslog.conf 36 | COPY rsyslog/00_normalize.conf /etc/rsyslog.d/00_normalize.conf 37 | COPY rsyslog/10_elasticsearch.conf /etc/rsyslog.d/10_elasticsearch.conf 38 | COPY rsyslog/rules-audit.rb /etc/rsyslog.d/rules-audit.rb 39 | COPY rsyslog/rules-httpderror.rb /etc/rsyslog.d/rules-httpderror.rb 40 | COPY rsyslog/rules-krb5-kdc.rb /etc/rsyslog.d/rules-krb5-kdc.rb 41 | COPY rsyslog/rules-ipa-389-access.rb /etc/rsyslog.d/rules-ipa-389-access.rb 42 | COPY rsyslog/rules-ipa-389-errors.rb /etc/rsyslog.d/rules-ipa-389-errors.rb 43 | COPY rsyslog/rules-sssd.rb /etc/rsyslog.d/rules-sssd.rb 44 | COPY rsyslog/rules-authpriv.rb /etc/rsyslog.d/rules-authpriv.rb 45 | 46 | COPY elasticsearch/logging.yml /etc/elasticsearch/logging.yml 47 | COPY elasticsearch/logstash-template.json /etc/elasticsearch/templates/logstash.json 48 | 49 | COPY kibana/config-base.json /root/.firstrun/kibana-config-base.json 50 | COPY kibana/config-searches.json /root/.firstrun/kibana-config-searches.json 51 | COPY kibana/config-visualizations.json /root/.firstrun/kibana-config-visualizations.json 52 | COPY kibana/config-dashboards.json /root/.firstrun/kibana-config-dashboards.json 53 | 54 | COPY kibana/kibana.sh /opt/kibana/bin/kibana.sh 55 | RUN chmod +x /opt/kibana/bin/kibana.sh 56 | 57 | VOLUME /var/lib/elasticsearch 58 | 59 | EXPOSE 514 514/udp 5601 60 | 61 | CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] 62 | 63 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | {description} 294 | Copyright (C) {year} {fullname} 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | {signature of Ty Coon}, 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | 341 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # rsyslog-elasticsearch-kibana 2 | 3 | [Docker](https://www.docker.com/) image for centralized logging based on [CentOS 7](http://www.centos.org/) with [rsyslog](http://www.rsyslog.com/), [elasticsearch](https://www.elastic.co/products/elasticsearch) and [kibana](https://www.elastic.co/products/kibana). 4 | 5 | Contains several pre-configured dashboards for [freeIPA](http://www.freeipa.org/page/Main_Page) server - [User Logins](https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/master/doc/images/user-logins.png), [IPA Server Administration](https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/master/doc/images/ipa-server-administration.png), [IPA Server Health](https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/master/doc/images/ipa-server-health.png), [IPA Server Utilization](https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/master/doc/images/ipa-server-utilization.png) and [SSSD](https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/master/doc/images/sssd.png). Screencast is available on [youtube](https://youtu.be/7YjA6z5nE0I). For more information about this effort and how to configure FreeIPA servers and clients to send proper logs to this container, visit [this page](https://www.freeipa.org/page/Centralized_Logging). 6 | 7 | To get this image, pull it from [docker hub](https://registry.hub.docker.com/u/pschiffe/rsyslog-elasticsearch-kibana/): 8 | 9 | ``` 10 | $ docker pull pschiffe/rsyslog-elasticsearch-kibana 11 | ``` 12 | 13 | Or, if you want to build this image yourself, clone the [github repo](https://github.com/pschiffe/rsyslog-elasticsearch-kibana) and in directory with Dockerfile run: 14 | 15 | ``` 16 | $ docker build -t /rsyslog-elasticsearch-kibana . 17 | ``` 18 | 19 | To run the image use: 20 | 21 | ``` 22 | $ docker run -d -p 514:514 -p 514:514/udp -p 5601:5601 -v /etc/localtime:/etc/localtime:ro pschiffe/rsyslog-elasticsearch-kibana 23 | ``` 24 | 25 | Rsyslog listens on standard port 514 (both TCP and UDP) and kibana on TCP port 5601. To forward log messages from your system, configure rsyslog according to this [recipe](http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/) with appropriate address of running container. To test the running container from the host system you can use: 26 | 27 | ``` 28 | $ logger -n localhost 'log message from host' 29 | ``` 30 | 31 | Kibana is available via regular web browser on [http://localhost:5601](http://localhost:5601) address from the host system. Please note, that it can take up to 10 seconds for container to be ready after start. 32 | 33 | Elasticsearch is storing data in [docker data volume](https://docs.docker.com/userguide/dockervolumes/) `/var/lib/elasticsearch`. 34 | 35 | -------------------------------------------------------------------------------- /doc/images/ipa-server-administration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/9c4508b745c262a3f9fb9a66cd9edf4f23b7dc64/doc/images/ipa-server-administration.png -------------------------------------------------------------------------------- /doc/images/ipa-server-health.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/9c4508b745c262a3f9fb9a66cd9edf4f23b7dc64/doc/images/ipa-server-health.png -------------------------------------------------------------------------------- /doc/images/ipa-server-utilization.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/9c4508b745c262a3f9fb9a66cd9edf4f23b7dc64/doc/images/ipa-server-utilization.png -------------------------------------------------------------------------------- /doc/images/sssd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/9c4508b745c262a3f9fb9a66cd9edf4f23b7dc64/doc/images/sssd.png -------------------------------------------------------------------------------- /doc/images/user-logins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pschiffe/rsyslog-elasticsearch-kibana/9c4508b745c262a3f9fb9a66cd9edf4f23b7dc64/doc/images/user-logins.png -------------------------------------------------------------------------------- /elasticsearch/elasticsearch.repo: -------------------------------------------------------------------------------- 1 | [elasticsearch-1.7] 2 | name=Elasticsearch repository for 1.7.x packages 3 | baseurl=http://packages.elastic.co/elasticsearch/1.7/centos 4 | gpgcheck=1 5 | gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch 6 | enabled=1 7 | -------------------------------------------------------------------------------- /elasticsearch/logging.yml: -------------------------------------------------------------------------------- 1 | # you can override this using by setting a system property, for example -Des.logger.level=DEBUG 2 | es.logger.level: INFO 3 | rootLogger: ${es.logger.level}, console 4 | logger: 5 | # log action execution errors for easier debugging 6 | action: DEBUG 7 | # reduce the logging for aws, too much is logged under the default INFO 8 | com.amazonaws: WARN 9 | 10 | # gateway 11 | #gateway: DEBUG 12 | #index.gateway: DEBUG 13 | 14 | # peer shard recovery 15 | #indices.recovery: DEBUG 16 | 17 | # discovery 18 | #discovery: TRACE 19 | 20 | #index.search.slowlog: TRACE, index_search_slow_log_file 21 | #index.indexing.slowlog: TRACE, index_indexing_slow_log_file 22 | 23 | #additivity: 24 | # index.search.slowlog: false 25 | # index.indexing.slowlog: false 26 | 27 | appender: 28 | console: 29 | type: console 30 | layout: 31 | type: consolePattern 32 | conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" 33 | 34 | # file: 35 | # type: dailyRollingFile 36 | # file: ${path.logs}/${cluster.name}.log 37 | # datePattern: "'.'yyyy-MM-dd" 38 | # layout: 39 | # type: pattern 40 | # conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" 41 | 42 | # Use the following log4j-extras RollingFileAppender to enable gzip compression of log files. 43 | # For more information see https://logging.apache.org/log4j/extras/apidocs/org/apache/log4j/rolling/RollingFileAppender.html 44 | #file: 45 | #type: extrasRollingFile 46 | #file: ${path.logs}/${cluster.name}.log 47 | #rollingPolicy: timeBased 48 | #rollingPolicy.FileNamePattern: ${path.logs}/${cluster.name}.log.%d{yyyy-MM-dd}.gz 49 | #layout: 50 | #type: pattern 51 | #conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" 52 | 53 | # index_search_slow_log_file: 54 | # type: dailyRollingFile 55 | # file: ${path.logs}/${cluster.name}_index_search_slowlog.log 56 | # datePattern: "'.'yyyy-MM-dd" 57 | # layout: 58 | # type: pattern 59 | # conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" 60 | 61 | # index_indexing_slow_log_file: 62 | # type: dailyRollingFile 63 | # file: ${path.logs}/${cluster.name}_index_indexing_slowlog.log 64 | # datePattern: "'.'yyyy-MM-dd" 65 | # layout: 66 | # type: pattern 67 | # conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" 68 | 69 | -------------------------------------------------------------------------------- /elasticsearch/logstash-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "template":"logstash-*", 3 | "mappings":{ 4 | "_default_":{ 5 | "properties":{ 6 | "host":{ 7 | "type":"string", 8 | "index":"not_analyzed" 9 | }, 10 | "facility":{ 11 | "type":"string", 12 | "index":"not_analyzed" 13 | }, 14 | "severity":{ 15 | "type":"string", 16 | "index":"not_analyzed" 17 | }, 18 | "tag":{ 19 | "type":"string", 20 | "index":"not_analyzed" 21 | }, 22 | "unparsed-data":{ 23 | "type":"string", 24 | "index":"not_analyzed" 25 | }, 26 | "originalmsg":{ 27 | "type":"string", 28 | "index":"no" 29 | }, 30 | "status":{ 31 | "type":"string", 32 | "index":"not_analyzed" 33 | }, 34 | "principal":{ 35 | "type":"string", 36 | "index":"not_analyzed" 37 | }, 38 | "action":{ 39 | "type":"string", 40 | "index":"not_analyzed" 41 | }, 42 | "parameters":{ 43 | "type":"string", 44 | "index":"not_analyzed" 45 | }, 46 | "uid":{ 47 | "type":"integer", 48 | "index":"not_analyzed" 49 | }, 50 | "log-level":{ 51 | "type":"integer", 52 | "index":"not_analyzed" 53 | }, 54 | "status-code":{ 55 | "type":"integer", 56 | "index":"not_analyzed" 57 | }, 58 | "status-text":{ 59 | "type":"string", 60 | "index":"not_analyzed" 61 | }, 62 | "status_code":{ 63 | "type":"integer", 64 | "index":"not_analyzed" 65 | }, 66 | "status_text":{ 67 | "type":"string", 68 | "index":"not_analyzed" 69 | }, 70 | "service":{ 71 | "type":"string", 72 | "index":"not_analyzed" 73 | }, 74 | "username":{ 75 | "type":"string", 76 | "index":"not_analyzed" 77 | } 78 | } 79 | } 80 | } 81 | } 82 | 83 | -------------------------------------------------------------------------------- /kibana/config-base.json: -------------------------------------------------------------------------------- 1 | {"index":{"_index":".kibana","_type":"config","_id":"4.0.2"} 2 | {"buildNum":"6004","defaultIndex":"[logstash-]YYYY.MM.DD"} 3 | {"index":{"_index":".kibana","_type":"index-pattern","_id":"[logstash-]YYYY.MM.DD"} 4 | {"title":"[logstash-]YYYY.MM.DD","timeFieldName":"timestamp","intervalName":"days","customFormats":"{}","fields":"[{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"unparsed-data\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":false,\"analyzed\":false,\"doc_values\":false,\"name\":\"originalmsg\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"host\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":false,\"analyzed\":false,\"name\":\"_source\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"tag\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":false,\"analyzed\":false,\"name\":\"_index\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"severity\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"name\":\"_type\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"facility\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":false,\"analyzed\":false,\"name\":\"_id\",\"count\":0,\"scripted\":false},{\"type\":\"date\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"timestamp\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"name\":\"message\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"name\":\"msg\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"status\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"principal\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"action\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"parameters\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":true,\"doc_values\":false,\"name\":\"event.tags\",\"count\":0,\"scripted\":false},{\"type\":\"number\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"uid\",\"count\":0,\"scripted\":false},{\"type\":\"number\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"log-level\",\"count\":0,\"scripted\":false},{\"type\":\"number\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"status-code\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"status-text\",\"count\":0,\"scripted\":false},{\"type\":\"number\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"status_code\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"status_text\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"service\",\"count\":0,\"scripted\":false},{\"type\":\"string\",\"indexed\":true,\"analyzed\":false,\"doc_values\":false,\"name\":\"username\",\"count\":0,\"scripted\":false}]"} 5 | 6 | -------------------------------------------------------------------------------- /kibana/config-dashboards.json: -------------------------------------------------------------------------------- 1 | {"index":{"_index":".kibana","_type":"dashboard","_id":"SSSD"} 2 | {"title":"SSSD","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"SSSD-Errors\",\"row\":4,\"size_x\":12,\"size_y\":4,\"type\":\"search\"},{\"col\":1,\"id\":\"SSSD-Domain-Errors-with-Client-Info\",\"row\":11,\"size_x\":12,\"size_y\":4,\"type\":\"search\"},{\"col\":1,\"id\":\"SSSD-Errors\",\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"SSSD-Domain-Errors-with-Client-Info\",\"type\":\"visualization\",\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":8}]","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}} 3 | {"index":{"_index":".kibana","_type":"dashboard","_id":"IPA-Server-Utilization"} 4 | {"title":"IPA Server Utilization","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"Kerberos-Utilization-per-Host\",\"row\":5,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"LDAP-Utilization-per-Host\",\"row\":1,\"size_x\":12,\"size_y\":4,\"type\":\"visualization\"},{\"id\":\"Kerberos-Utilization\",\"type\":\"search\",\"size_x\":12,\"size_y\":5,\"col\":1,\"row\":9}]","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}} 5 | {"index":{"_index":".kibana","_type":"dashboard","_id":"User-Logins"} 6 | {"title":"User Logins","hits":0,"description":"","panelsJSON":"[{\"col\":10,\"id\":\"Success-slash-Failed-User-Logins-per-Host\",\"row\":1,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Success-slash-Failed-User-Logins\",\"row\":1,\"size_x\":9,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"User-Logins-per-Host\",\"row\":5,\"size_x\":9,\"size_y\":4,\"type\":\"visualization\"},{\"col\":10,\"id\":\"PAM-Errors\",\"row\":5,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"User-Logins\",\"row\":9,\"size_x\":12,\"size_y\":8,\"type\":\"search\"}]","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}} 7 | {"index":{"_index":".kibana","_type":"dashboard","_id":"IPA-Server-Administration"} 8 | {"title":"IPA Server Administration","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"IPA-Calls\",\"row\":4,\"size_x\":12,\"size_y\":8,\"type\":\"search\"},{\"col\":1,\"id\":\"IPA-Calls\",\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"}]","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}} 9 | {"index":{"_index":".kibana","_type":"dashboard","_id":"IPA-Server-Health"} 10 | {"title":"IPA Server Health","hits":0,"description":"","panelsJSON":"[{\"col\":1,\"id\":\"SSSD-Errors\",\"row\":4,\"size_x\":12,\"size_y\":5,\"type\":\"search\"},{\"col\":1,\"id\":\"IPA-Replication-Status\",\"row\":12,\"size_x\":12,\"size_y\":5,\"type\":\"search\"},{\"col\":1,\"id\":\"SSSD-Errors\",\"row\":1,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"IPA-Replication-Status\",\"type\":\"visualization\",\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":9}]","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"}} 11 | 12 | -------------------------------------------------------------------------------- /kibana/config-searches.json: -------------------------------------------------------------------------------- 1 | {"index":{"_index":".kibana","_type":"search","_id":"LDAP-Utilization"} 2 | {"title":"LDAP Utilization","description":"","hits":0,"columns":["message"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[null,{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"tag\",\"negate\":false,\"value\":\"ipa-389-access\"},\"query\":{\"match\":{\"tag\":{\"query\":\"ipa-389-access\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"bind\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"bind\",\"type\":\"phrase\"}}}}]}"}} 3 | {"index":{"_index":".kibana","_type":"search","_id":"SSSD-Domain-Errors-with-Client-Info"} 4 | {"title":"SSSD Domain Errors with Client Info","description":"","hits":0,"columns":["host","action","msg"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[null,{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"negate\":false,\"value\":\"sssd\"},\"query\":{\"match\":{\"event.tags\":{\"query\":\"sssd\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"(tag:sssd-domain AND action:(ipa_s2n_exop_send OR ipa_s2n_get_user_done)) OR (tag:sssd-server-domain AND log-level:<=64)\",\"analyze_wildcard\":true}}}"}} 5 | {"index":{"_index":".kibana","_type":"search","_id":"IPA-Calls"} 6 | {"title":"IPA Calls","description":"","hits":0,"columns":["principal","host","action","status","parameters"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"action:(-*show AND -*find AND -batch AND -json_metadata AND -env AND -dns_is_enabled AND -i18n_messages)\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"negate\":false,\"value\":\"ipa-call\"},\"query\":{\"match\":{\"event.tags\":{\"query\":\"ipa-call\",\"type\":\"phrase\"}}}}]}"}} 7 | {"index":{"_index":".kibana","_type":"search","_id":"User-Logins"} 8 | {"title":"User Logins","description":"","hits":0,"columns":["host","username","status","message"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[null,{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"tag\",\"negate\":false,\"value\":\"audispd:\"},\"query\":{\"match\":{\"tag\":{\"query\":\"audispd:\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"action\",\"value\":\"USER_LOGIN\",\"disabled\":false},\"query\":{\"match\":{\"action\":{\"query\":\"USER_LOGIN\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}}"}} 9 | {"index":{"_index":".kibana","_type":"search","_id":"IPA-Replication-Status"} 10 | {"title":"IPA Replication Status","description":"","hits":0,"columns":["host","message"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"tag\",\"value\":\"ipa-389-errors\",\"disabled\":false},\"query\":{\"match\":{\"tag\":{\"query\":\"ipa-389-errors\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"NSMMReplicationPlugin\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"NSMMReplicationPlugin\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"replication-status\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"replication-status\",\"type\":\"phrase\"}}}}]}"}} 11 | {"index":{"_index":".kibana","_type":"search","_id":"SSSD-Errors"} 12 | {"title":"SSSD Errors","description":"","hits":0,"columns":["host","action","msg"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"negate\":false,\"value\":\"sssd\"},\"query\":{\"match\":{\"event.tags\":{\"query\":\"sssd\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"log-level:<=64\",\"analyze_wildcard\":true}}}"}} 13 | {"index":{"_index":".kibana","_type":"search","_id":"PAM-Errors"} 14 | {"title":"PAM Errors","description":"","hits":0,"columns":["message"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"facility\",\"negate\":false,\"value\":\"authpriv\"},\"query\":{\"match\":{\"facility\":{\"query\":\"authpriv\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"pam_sss\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"pam_sss\",\"type\":\"phrase\"}}}}],\"query\":{\"query_string\":{\"query\":\"event.tags:(account OR auth)\",\"analyze_wildcard\":true}}}"}} 15 | {"index":{"_index":".kibana","_type":"search","_id":"Kerberos-Utilization"} 16 | {"title":"Kerberos Utilization","description":"","hits":0,"columns":["host","message"],"sort":["timestamp","desc"],"version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"[logstash-]YYYY.MM.DD\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[{\"meta\":{\"disabled\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"tag\",\"negate\":false,\"value\":\"krb5-kdc\"},\"query\":{\"match\":{\"tag\":{\"query\":\"krb5-kdc\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"as-req\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"as-req\",\"type\":\"phrase\"}}}},{\"meta\":{\"negate\":false,\"index\":\"[logstash-]YYYY.MM.DD\",\"key\":\"event.tags\",\"value\":\"issue\",\"disabled\":false},\"query\":{\"match\":{\"event.tags\":{\"query\":\"issue\",\"type\":\"phrase\"}}}}]}"}} 17 | 18 | -------------------------------------------------------------------------------- /kibana/config-visualizations.json: -------------------------------------------------------------------------------- 1 | {"index":{"_index":".kibana","_type":"visualization","_id":"Success-slash-Failed-User-Logins"} 2 | {"title":"Success / Failed User Logins","visState":"{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"User-Logins","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 3 | {"index":{"_index":".kibana","_type":"visualization","_id":"User-Logins-per-Host"} 4 | {"title":"User Logins per Host","visState":"{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"User-Logins","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 5 | {"index":{"_index":".kibana","_type":"visualization","_id":"IPA-Calls"} 6 | {"title":"IPA Calls","visState":"{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"principal\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"IPA-Calls","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 7 | {"index":{"_index":".kibana","_type":"visualization","_id":"SSSD-Domain-Errors-with-Client-Info"} 8 | {"title":"SSSD Domain Errors with Client Info","visState":"{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","description":"","savedSearchId":"SSSD-Domain-Errors-with-Client-Info","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 9 | {"index":{"_index":".kibana","_type":"visualization","_id":"LDAP-Utilization-per-Host"} 10 | {"title":"LDAP Utilization per Host","visState":"{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"LDAP-Utilization","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 11 | {"index":{"_index":".kibana","_type":"visualization","_id":"PAM-Errors"} 12 | {"title":"PAM Errors","visState":"{\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"status_text\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"PAM-Errors","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 13 | {"index":{"_index":".kibana","_type":"visualization","_id":"IPA-Replication-Status"} 14 | {"title":"IPA Replication Status","visState":"{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"IPA-Replication-Status","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 15 | {"index":{"_index":".kibana","_type":"visualization","_id":"SSSD-Errors"} 16 | {"title":"SSSD Errors","visState":"{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}","description":"","savedSearchId":"SSSD-Errors","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 17 | {"index":{"_index":".kibana","_type":"visualization","_id":"Kerberos-Utilization-per-Host"} 18 | {"title":"Kerberos Utilization per Host","visState":"{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"Kerberos-Utilization","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 19 | {"index":{"_index":".kibana","_type":"visualization","_id":"Success-slash-Failed-User-Logins-per-Host"} 20 | {"title":"Success / Failed User Logins per Host","visState":"{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"username\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}","description":"","savedSearchId":"User-Logins","version":1,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"}} 21 | 22 | -------------------------------------------------------------------------------- /kibana/kibana.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # wait for elasticsearch and firstrun 4 | sleep 10 5 | 6 | exec /opt/kibana/bin/kibana 7 | 8 | -------------------------------------------------------------------------------- /rsyslog/00_normalize.conf: -------------------------------------------------------------------------------- 1 | module(load="mmnormalize") 2 | 3 | if ($syslogtag == "audispd:") then { 4 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-audit.rb") 5 | } else if ($syslogtag == "httpderror") then { 6 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-httpderror.rb") 7 | } else if ($syslogtag == "krb5-kdc") then { 8 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-krb5-kdc.rb") 9 | } else if ($syslogtag == "ipa-389-access") then { 10 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-ipa-389-access.rb") 11 | } else if ($syslogtag == "ipa-389-errors") then { 12 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-ipa-389-errors.rb") 13 | } else if ($syslogtag startswith "sssd-") then { 14 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-sssd.rb") 15 | } else if ($syslogfacility-text == "authpriv") then { 16 | action(type="mmnormalize" ruleBase="/etc/rsyslog.d/rules-authpriv.rb") 17 | } 18 | 19 | -------------------------------------------------------------------------------- /rsyslog/10_elasticsearch.conf: -------------------------------------------------------------------------------- 1 | module(load="omelasticsearch") 2 | 3 | # format the index names as logstash-YYYY.MM.DD 4 | template(name="logstash-index" type="list") { 5 | constant(value="logstash-") 6 | property(name="timestamp" dateFormat="rfc3339" position.from="1" position.to="4") 7 | constant(value=".") 8 | property(name="timestamp" dateFormat="rfc3339" position.from="6" position.to="7") 9 | constant(value=".") 10 | property(name="timestamp" dateFormat="rfc3339" position.from="9" position.to="10") 11 | } 12 | 13 | # format the syslog messages as JSON for elasticsearch 14 | template(name="elasticsearch-json" type="list") { 15 | constant(value="{") 16 | property(name="timestamp" dateFormat="rfc3339" format="jsonf") 17 | constant(value=",") 18 | property(name="$!all-json" position.from="2") 19 | } 20 | 21 | # add interesting properties from rsyslog to $!all-json 22 | set $!host = $hostname; 23 | set $!facility = $syslogfacility-text; 24 | set $!severity = $syslogseverity-text; 25 | set $!tag = $syslogtag; 26 | set $!message = $msg; 27 | 28 | # send the logs to elasticsearch (localhost:9200 by default) 29 | action(type="omelasticsearch" 30 | template="elasticsearch-json" 31 | searchIndex="logstash-index" 32 | dynSearchIndex="on" 33 | bulkmode="on" 34 | queue.type="linkedlist" 35 | queue.size="5000" 36 | queue.dequeuebatchsize="300" 37 | action.resumeretrycount="-1" 38 | action.resumeInterval="5") 39 | 40 | -------------------------------------------------------------------------------- /rsyslog/rsyslog-copr.repo: -------------------------------------------------------------------------------- 1 | [jhrozek-rsyslog] 2 | name=Copr repo for rsyslog owned by jhrozek 3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jhrozek/rsyslog/epel-7-$basearch/ 4 | skip_if_unavailable=True 5 | gpgcheck=1 6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jhrozek/rsyslog/pubkey.gpg 7 | enabled=1 8 | 9 | [jhrozek-liblognorm] 10 | name=Copr repo for liblognorm owned by jhrozek 11 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblognorm/epel-7-$basearch/ 12 | skip_if_unavailable=True 13 | gpgcheck=1 14 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblognorm/pubkey.gpg 15 | enabled=1 16 | 17 | [jhrozek-liblogging] 18 | name=Copr repo for liblogging owned by jhrozek 19 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblogging/epel-7-$basearch/ 20 | skip_if_unavailable=True 21 | gpgcheck=1 22 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jhrozek/liblogging/pubkey.gpg 23 | enabled=1 24 | 25 | -------------------------------------------------------------------------------- /rsyslog/rsyslog.conf: -------------------------------------------------------------------------------- 1 | # rsyslog configuration file 2 | 3 | # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html 4 | # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html 5 | 6 | #### MODULES #### 7 | 8 | # The imjournal module bellow is now used as a message source instead of imuxsock. 9 | #$ModLoad imjournal # provides access to the systemd journal 10 | #$ModLoad imklog # provides kernel logging support (previously done by rklogd) 11 | #$ModLoad immark # provides --MARK-- message capability 12 | 13 | # Provides UDP syslog reception 14 | $ModLoad imudp 15 | $UDPServerRun 514 16 | 17 | # Provides TCP syslog reception 18 | $ModLoad imtcp 19 | $InputTCPServerRun 514 20 | 21 | # By default, all system logs are read from journald through the 22 | # imjournal module. To read messages from the syslog socket, the 23 | # imuxsock module has to be loaded and a path to the socket specified. 24 | #$ModLoad imuxsock 25 | # The default path to the syslog socket provided by journald: 26 | #$SystemLogSocketName /run/systemd/journal/syslog 27 | 28 | 29 | #### GLOBAL DIRECTIVES #### 30 | 31 | # Where to place auxiliary files 32 | $WorkDirectory /var/lib/rsyslog 33 | 34 | # Use default timestamp format 35 | #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 36 | 37 | # File syncing capability is disabled by default. This feature is usually not required, 38 | # not useful and an extreme performance hit 39 | #$ActionFileEnableSync on 40 | 41 | # Include all config files in /etc/rsyslog.d/ 42 | $IncludeConfig /etc/rsyslog.d/*.conf 43 | 44 | # File to store the position in the journal 45 | #$IMJournalStateFile imjournal.state 46 | # If there is no saved state yet, don't read in the whole bulk of messages. 47 | # This means some of the older messages won't be collected by rsyslog, 48 | # but it also prevents a potential huge spike in resource utilization. 49 | #$IMJournalIgnorePreviousMessages on 50 | 51 | -------------------------------------------------------------------------------- /rsyslog/rules-audit.rb: -------------------------------------------------------------------------------- 1 | # audit 2 | 3 | prefix= node=%-:word% type=%action:word% msg=audit(%-:string-to:)\x3a %): pid=%pid:number% uid=%-:number% auid=%auid:number% ses=%ses:number% subj=%subj:word% msg=' 4 | 5 | # node=localhost.localdomain type=USER_LOGIN msg=audit(1427389321.984:439): pid=2363 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=192.168.122.1 terminal=ssh res=failed' 6 | rule=audit:op=%op:word% acct=%username:quoted-string% exe=%cmd:quoted-string% hostname=%src-host:word% addr=%src-addr:word% terminal=%terminal:word% res=%status:char-to:'%' 7 | 8 | # node=localhost.localdomain type=USER_LOGIN msg=audit(1427387571.280:371): pid=2239 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/0 res=success' 9 | rule=audit:op=%op:word% id=%uid:number% exe=%cmd:quoted-string% hostname=%src-host:word% addr=%src-addr:word% terminal=%terminal:word% res=%status:char-to:'%' 10 | 11 | -------------------------------------------------------------------------------- /rsyslog/rules-authpriv.rb: -------------------------------------------------------------------------------- 1 | # authpriv 2 | 3 | # pam_sss(su:auth): received for user admin: 17 (Failure setting user credentials) 4 | 5 | prefix= pam_sss(%service:char-to:\x3a%:auth): %-:string-to: user% user %username:string-to:\x3a %: 6 | 7 | rule=authpriv,pam_sss,auth,status_code_0: 0 (%msg:char-to:)%) 8 | rule=authpriv,pam_sss,auth,status_code_4: 4 (%msg:char-to:)%) 9 | rule=authpriv,pam_sss,auth,status_code_6: 6 (%msg:char-to:)%) 10 | rule=authpriv,pam_sss,auth,status_code_13: 13 (%msg:char-to:)%) 11 | rule=authpriv,pam_sss,auth,status_code_7: 7 (%msg:char-to:)%) 12 | rule=authpriv,pam_sss,auth,status_code_17: 17 (%msg:char-to:)%) 13 | rule=authpriv,pam_sss,auth,status_code_22: 22 (%msg:char-to:)%) 14 | rule=authpriv,pam_sss,auth,status_code_12: 12 (%msg:char-to:)%) 15 | rule=authpriv,pam_sss,auth,status_code_16: 16 (%msg:char-to:)%) 16 | 17 | 18 | # pam_sss(su:account): received for user admin: 17 (Failure setting user credentials) 19 | 20 | prefix= pam_sss(%service:char-to:\x3a%:account): %-:string-to: user% user %username:string-to:\x3a %: 21 | 22 | rule=authpriv,pam_sss,account,status_code_0: 0 (%msg:char-to:)%) 23 | rule=authpriv,pam_sss,account,status_code_4: 4 (%msg:char-to:)%) 24 | rule=authpriv,pam_sss,account,status_code_6: 6 (%msg:char-to:)%) 25 | rule=authpriv,pam_sss,account,status_code_13: 13 (%msg:char-to:)%) 26 | rule=authpriv,pam_sss,account,status_code_7: 7 (%msg:char-to:)%) 27 | rule=authpriv,pam_sss,account,status_code_17: 17 (%msg:char-to:)%) 28 | rule=authpriv,pam_sss,account,status_code_22: 22 (%msg:char-to:)%) 29 | rule=authpriv,pam_sss,account,status_code_12: 12 (%msg:char-to:)%) 30 | rule=authpriv,pam_sss,account,status_code_16: 16 (%msg:char-to:)%) 31 | 32 | 33 | annotate=status_code_0:+status_code="0" 34 | annotate=status_code_4:+status_code="4" 35 | annotate=status_code_6:+status_code="6" 36 | annotate=status_code_13:+status_code="13" 37 | annotate=status_code_7:+status_code="7" 38 | annotate=status_code_17:+status_code="17" 39 | annotate=status_code_22:+status_code="22" 40 | annotate=status_code_12:+status_code="12" 41 | annotate=status_code_16:+status_code="16" 42 | 43 | 44 | annotate=status_code_0:+status_text="Success" 45 | annotate=status_code_4:+status_text="Internal SSSD Error" 46 | annotate=status_code_6:+status_text="Access Denied" 47 | annotate=status_code_13:+status_text="Access Denied" 48 | annotate=status_code_7:+status_text="Authentication Failed" 49 | annotate=status_code_17:+status_text="Authentication Failed" 50 | annotate=status_code_22:+status_text="Password Change Failed" 51 | annotate=status_code_12:+status_text="Password Change Required" 52 | annotate=status_code_16:+status_text="Password Change Required" 53 | 54 | -------------------------------------------------------------------------------- /rsyslog/rules-httpderror.rb: -------------------------------------------------------------------------------- 1 | # IPA 2 | 3 | prefix= [%-:string-to:] %] [:error] [pid %pid:number%] ipa: INFO: 4 | 5 | # [Fri Feb 06 06:06:22.875298 2015] [:error] [pid 30769] ipa: INFO: [jsonserver_kerb] admin@RHEL.TEST: user_add(u'fbar', givenname=u'Foo', sn=u'Bar', cn=u'Foo Bar', displayname=u'Foo Bar', initials=u'FB', gecos=u'Foo Bar', krbprincipalname=u'fbar@RHEL.TEST', userpassword=u'********', random=False, noprivate=False, all=False, raw=False, version=u'2.112', no_members=False): SUCCESS 6 | rule=ipa,ipa-call: [%-:string-to:] %] %principal:string-to:\x3a %: %action:char-to:(%(%parameters:string-to:)\x3a %): %status:word% 7 | 8 | # [Wed Apr 08 16:07:37.772664 2015] [:error] [pid 2139] ipa: INFO: admin@KVM: batch: user_show(u'admin', no_members=True): SUCCESS 9 | rule=ipa,ipa-call,batch: %principal:string-to:\x3a %: batch: %action:char-to:(%(%parameters:string-to:): %): %status:word% 10 | 11 | # [Wed Apr 08 16:56:29.257898 2015] [:error] [pid 2139] ipa: INFO: admin@KVM: batch: dns_is_enabled(): SUCCESS 12 | rule=ipa,ipa-call,batch: %principal:string-to:\x3a %: batch: %action:string-to:()%(): %status:word% 13 | 14 | -------------------------------------------------------------------------------- /rsyslog/rules-ipa-389-access.rb: -------------------------------------------------------------------------------- 1 | # ipa-389-access 2 | 3 | prefix= [%-:string-to:] %] conn=%conn:number% op=%op:number% 4 | 5 | # [09/Apr/2015:11:33:33 +0200] conn=27 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI 6 | rule=ipa-389-access,bind: BIND dn=%dn:quoted-string% method=%method:word% version=%version:number% mech=%mech:word% 7 | 8 | prefix= [%-:string-to:] %] conn=%conn:number% op=%op:number% RESULT err=%err:number% tag=%app-tag:number% nentries=%nentries:number% 9 | 10 | # [09/Apr/2015:11:33:34 +0200] conn=28 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=centos-7-vm.kvm,cn=computers,cn=accounts,dc=kvm" 11 | rule=ipa-389-access,result: etime=%etime:number% dn=%dn:quoted-string% 12 | 13 | # [09/Apr/2015:11:33:33 +0200] conn=27 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress 14 | rule=ipa-389-access,result: etime=%etime:number%, %msg:rest% 15 | 16 | # [09/Apr/2015:11:33:34 +0200] conn=28 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=P 17 | rule=ipa-389-access,result: etime=%etime:number% notes=%notes:word% 18 | 19 | # [09/Apr/2015:11:33:33 +0200] conn=4 op=69 RESULT err=0 tag=101 nentries=1 etime=0 20 | rule=ipa-389-access,result: etime=%etime:number% 21 | 22 | -------------------------------------------------------------------------------- /rsyslog/rules-ipa-389-errors.rb: -------------------------------------------------------------------------------- 1 | # ipa-389-errors 2 | 3 | prefix= [%-:string-to:] %] NSMMReplicationPlugin - agmt=%agmt:quoted-string% (%dst-host:char-to:\x3a%:%dst-port:number%): 4 | 5 | # [15/Mar/2015:10:10:45 +0100] NSMMReplicationPlugin - agmt="cn=meTocentos-7-vm.kvm" (centos-7-vm:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid)) 6 | rule=NSMMReplicationPlugin,replication-status,error: Replication bind with %mech:word% auth failed: %msg:rest% 7 | 8 | # [14/Apr/2015:16:34:37 +0200] NSMMReplicationPlugin - agmt="cn=meTocentos-7-vm.kvm" (centos-7-vm:389): Replication bind with GSSAPI auth resumed 9 | rule=NSMMReplicationPlugin,replication-status,info: Replication bind with %mech:word% auth resumed 10 | 11 | -------------------------------------------------------------------------------- /rsyslog/rules-krb5-kdc.rb: -------------------------------------------------------------------------------- 1 | # krb5-kdc 2 | 3 | prefix= %-:date-rfc3164% %-:word% krb5kdc[%pid:number%](%app-severity:string-to:)\x3a %): AS_REQ (%-:string-to:}) %}) %src-addr:string-to:\x3a %: 4 | 5 | # Apr 09 11:33:34 centos-7-vm krb5kdc[2120](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.40: ISSUE: authtime 1428572014, etypes {rep=18 tkt=18 ses=18}, host/centos-7-vm.kvm@KVM for krbtgt/KVM@KVM 6 | rule=krb5-kdc,as-req,kinit,issue: ISSUE: authtime %authtime:number%, etypes {%-:string-to:}, %}, %src:word% for %dst:word% 7 | 8 | # Apr 13 17:42:26 centos-7-vm krb5kdc[2121](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.40: PREAUTH_FAILED: admin@KVM for krbtgt/KVM@KVM, Decrypt integrity check failed 9 | rule=krb5-kdc,as-req,kinit,preauth-failed: PREAUTH_FAILED: %user:word% for %dst:string-to:, %, %msg:rest% 10 | 11 | -------------------------------------------------------------------------------- /rsyslog/rules-sssd.rb: -------------------------------------------------------------------------------- 1 | # sssd-* 2 | 3 | prefix= (%-:string-to:) %) 4 | 5 | # (Wed Apr 15 15:54:46 2015) [[sssd[ldap_child[4292]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] 6 | rule=sssd: [[sssd[%component:char-to:[%[%component-pid:number%]]]] [%action:string-to:] %] (0x%log-level:interpret:base16int:string-to:)\x3a %): %msg:rest% 7 | 8 | # (Wed Apr 15 10:10:31 2015) [sssd[be[linux.test]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation 9 | rule=sssd: [sssd[%component:char-to:[%[%domain:string-to:]]] %]]] [%action:string-to:] %] (0x%log-level:interpret:base16int:string-to:)\x3a %): %msg:rest% 10 | 11 | # (Wed Apr 15 16:01:02 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. 12 | rule=sssd: [sssd[%component:string-to:]] %]] [%action:string-to:] %] (0x%log-level:interpret:base16int:string-to:)\x3a %): %msg:rest% 13 | 14 | # (Wed Apr 15 15:54:53 2015) [sssd] [service_send_ping] (0x0100): Pinging pam 15 | rule=sssd: [sssd] [%action:string-to:] %] (0x%log-level:interpret:base16int:string-to:)\x3a %): %msg:rest% 16 | 17 | -------------------------------------------------------------------------------- /supervisor/elasticsearch.ini: -------------------------------------------------------------------------------- 1 | [program:elasticsearch] 2 | command=/usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid -Des.default.config=/etc/elasticsearch/elasticsearch.yml -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.work=/tmp/elasticsearch -Des.default.path.conf=/etc/elasticsearch 3 | user=elasticsearch 4 | priority=2 5 | 6 | -------------------------------------------------------------------------------- /supervisor/firstrun.ini: -------------------------------------------------------------------------------- 1 | [program:firstrun] 2 | command=/root/.firstrun/firstrun.sh 3 | priority=4 4 | exitcodes=0 5 | 6 | -------------------------------------------------------------------------------- /supervisor/firstrun.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | [ -e '/root/.firstrun/done' ] && exit 0 4 | 5 | # wait for elasticsearch to start 6 | sleep 8 7 | 8 | for i in /root/.firstrun/kibana-config-*.json; do 9 | curl -sS -XPOST 'localhost:9200/_bulk' --data-binary "@$i" 10 | ret=$? 11 | [ $ret -ne 0 ] && exit $ret 12 | done 13 | 14 | touch '/root/.firstrun/done' 15 | 16 | -------------------------------------------------------------------------------- /supervisor/kibana.ini: -------------------------------------------------------------------------------- 1 | [program:kibana] 2 | command=/opt/kibana/bin/kibana.sh 3 | user=nobody 4 | priority=3 5 | 6 | -------------------------------------------------------------------------------- /supervisor/rsyslog.ini: -------------------------------------------------------------------------------- 1 | [program:rsyslog] 2 | command=/usr/sbin/rsyslogd -n 3 | priority=1 4 | 5 | -------------------------------------------------------------------------------- /supervisor/supervisord.conf: -------------------------------------------------------------------------------- 1 | [unix_http_server] 2 | file=/var/tmp/supervisor.sock ; (the path to the socket file) 3 | ;chmod=0700 ; sockef file mode (default 0700) 4 | ;chown=nobody:nogroup ; socket file uid:gid owner 5 | ;username=user ; (default is no username (open server)) 6 | ;password=123 ; (default is no password (open server)) 7 | 8 | ;[inet_http_server] ; inet (TCP) server disabled by default 9 | ;port=127.0.0.1:9001 ; (ip_address:port specifier, *:port for all iface) 10 | ;username=user ; (default is no username (open server)) 11 | ;password=123 ; (default is no password (open server)) 12 | 13 | [supervisord] 14 | logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log) 15 | ;logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) 16 | ;logfile_backups=10 ; (num of main logfile rotation backups;default 10) 17 | ;loglevel=info ; (log level;default info; others: debug,warn,trace) 18 | pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) 19 | nodaemon=true ; (start in foreground if true;default false) 20 | ;minfds=1024 ; (min. avail startup file descriptors;default 1024) 21 | ;minprocs=200 ; (min. avail process descriptors;default 200) 22 | ;umask=022 ; (process file creation umask;default 022) 23 | ;user=chrism ; (default is current user, required if root) 24 | ;identifier=supervisor ; (supervisord identifier, default is 'supervisor') 25 | ;directory=/tmp ; (default is not to cd during start) 26 | ;nocleanup=true ; (don't clean up tempfiles at start;default false) 27 | ;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP) 28 | ;environment=KEY=value ; (key value pairs to add to environment) 29 | ;strip_ansi=false ; (strip ansi escape codes in logs; def. false) 30 | 31 | ; the below section must remain in the config file for RPC 32 | ; (supervisorctl/web interface) to work, additional interfaces may be 33 | ; added by defining them in separate rpcinterface: sections 34 | [rpcinterface:supervisor] 35 | supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface 36 | 37 | [supervisorctl] 38 | serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket 39 | ;serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket 40 | ;username=chris ; should be same as http_username if set 41 | ;password=123 ; should be same as http_password if set 42 | ;prompt=mysupervisor ; cmd line prompt (default "supervisor") 43 | ;history_file=~/.sc_history ; use readline history if available 44 | 45 | ; The below sample program section shows all possible program subsection values, 46 | ; create one or more 'real' program: sections to be able to control them under 47 | ; supervisor. 48 | 49 | ;[program:theprogramname] 50 | ;command=/bin/cat ; the program (relative uses PATH, can take args) 51 | ;process_name=%(program_name)s ; process_name expr (default %(program_name)s) 52 | ;numprocs=1 ; number of processes copies to start (def 1) 53 | ;directory=/tmp ; directory to cwd to before exec (def no cwd) 54 | ;umask=022 ; umask for process (default None) 55 | ;priority=999 ; the relative start priority (default 999) 56 | ;autostart=true ; start at supervisord start (default: true) 57 | ;autorestart=true ; retstart at unexpected quit (default: true) 58 | ;startsecs=10 ; number of secs prog must stay running (def. 1) 59 | ;startretries=3 ; max # of serial start failures (default 3) 60 | ;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) 61 | ;stopsignal=QUIT ; signal used to kill process (default TERM) 62 | ;stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) 63 | ;user=chrism ; setuid to this UNIX account to run the program 64 | ;redirect_stderr=true ; redirect proc stderr to stdout (default false) 65 | ;stdout_logfile=/a/path ; stdout log path, NONE for none; default AUTO 66 | ;stdout_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) 67 | ;stdout_logfile_backups=10 ; # of stdout logfile backups (default 10) 68 | ;stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) 69 | ;stdout_events_enabled=false ; emit events on stdout writes (default false) 70 | ;stderr_logfile=/a/path ; stderr log path, NONE for none; default AUTO 71 | ;stderr_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) 72 | ;stderr_logfile_backups=10 ; # of stderr logfile backups (default 10) 73 | ;stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) 74 | ;stderr_events_enabled=false ; emit events on stderr writes (default false) 75 | ;environment=A=1,B=2 ; process environment additions (def no adds) 76 | ;serverurl=AUTO ; override serverurl computation (childutils) 77 | 78 | ; The below sample eventlistener section shows all possible 79 | ; eventlistener subsection values, create one or more 'real' 80 | ; eventlistener: sections to be able to handle event notifications 81 | ; sent by supervisor. 82 | 83 | ;[eventlistener:theeventlistenername] 84 | ;command=/bin/eventlistener ; the program (relative uses PATH, can take args) 85 | ;process_name=%(program_name)s ; process_name expr (default %(program_name)s) 86 | ;numprocs=1 ; number of processes copies to start (def 1) 87 | ;events=EVENT ; event notif. types to subscribe to (req'd) 88 | ;buffer_size=10 ; event buffer queue size (default 10) 89 | ;directory=/tmp ; directory to cwd to before exec (def no cwd) 90 | ;umask=022 ; umask for process (default None) 91 | ;priority=-1 ; the relative start priority (default -1) 92 | ;autostart=true ; start at supervisord start (default: true) 93 | ;autorestart=unexpected ; restart at unexpected quit (default: unexpected) 94 | ;startsecs=10 ; number of secs prog must stay running (def. 1) 95 | ;startretries=3 ; max # of serial start failures (default 3) 96 | ;exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) 97 | ;stopsignal=QUIT ; signal used to kill process (default TERM) 98 | ;stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) 99 | ;user=chrism ; setuid to this UNIX account to run the program 100 | ;redirect_stderr=true ; redirect proc stderr to stdout (default false) 101 | ;stdout_logfile=/a/path ; stdout log path, NONE for none; default AUTO 102 | ;stdout_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) 103 | ;stdout_logfile_backups=10 ; # of stdout logfile backups (default 10) 104 | ;stdout_events_enabled=false ; emit events on stdout writes (default false) 105 | ;stderr_logfile=/a/path ; stderr log path, NONE for none; default AUTO 106 | ;stderr_logfile_maxbytes=1MB ; max # logfile bytes b4 rotation (default 50MB) 107 | ;stderr_logfile_backups ; # of stderr logfile backups (default 10) 108 | ;stderr_events_enabled=false ; emit events on stderr writes (default false) 109 | ;environment=A=1,B=2 ; process environment additions 110 | ;serverurl=AUTO ; override serverurl computation (childutils) 111 | 112 | ; The below sample group section shows all possible group values, 113 | ; create one or more 'real' group: sections to create "heterogeneous" 114 | ; process groups. 115 | 116 | ;[group:thegroupname] 117 | ;programs=progname1,progname2 ; each refers to 'x' in [program:x] definitions 118 | ;priority=999 ; the relative start priority (default 999) 119 | 120 | ; The [include] section can just contain the "files" setting. This 121 | ; setting can list multiple files (separated by whitespace or 122 | ; newlines). It can also contain wildcards. The filenames are 123 | ; interpreted as relative to this file. Included files *cannot* 124 | ; include files themselves. 125 | 126 | [include] 127 | files = supervisord.d/*.ini 128 | 129 | --------------------------------------------------------------------------------