Re: [389-users] Not able to enable audit logs
There is no error. It goes thru fine. When I restart the LDAP server after adding it, there is nothing in the audit file. And no entry in the dse.ldif. On 15 June 2015 at 13:39, German Parente gpare...@redhat.com wrote: Hi Prashant, it should work in the same way. Are you having an error doing your ldapmodify ? There's not a specific entry for nsslapd-auditlog-logging-enabled. nsslapd-auditlog-logging-enabled is an attribute of cn=config entry. You should be able to query it by this command: ldapsearch -xLLL -D cn=directory manager -W -b cn=config -s base nsslapd-auditlog-logging-enabled dn: cn=config nsslapd-auditlog-logging-enabled: on Regards, German. - Original Message - From: Prashant Bapat prash...@apigee.com To: 389-users 389-users@lists.fedoraproject.org Sent: Monday, June 15, 2015 9:56:48 AM Subject: [389-users] Not able to enable audit logs Hi, I have a setup of master-master replicated 389 DS installations as part of FreeIPA. This is the version of the 389-ds : 389-ds-base-1.3.3.8-1.fc21.x86_64 On 1st server, I was able to enable the audit logs using the following LDIF. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on However, the same LDIF when I run on the second server (which is the replicated master) the audit logs never get enabled. I'm not able to find the nsslapd-auditlog-logging-enabled entry under the dse.ldif . I have tried restarting etc but no luck. Is this normal ? Thanks. --Prashant -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Not able to enable audit logs
Can you see the operation taking place in access logs ? Something like this ? [15/Jun/2015:10:08:12 +0200] conn=1 op=0 BIND dn=cn=directory manager method=128 version=3 [15/Jun/2015:10:08:12 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [15/Jun/2015:10:08:34 +0200] conn=1 op=1 MOD dn=cn=config [15/Jun/2015:10:08:34 +0200] conn=1 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Jun/2015:10:08:36 +0200] conn=1 op=3 UNBIND Thanks and regards, German. - Original Message - From: Prashant Bapat prash...@apigee.com To: General discussion list for the 389 Directory server project. 389-users@lists.fedoraproject.org Sent: Monday, June 15, 2015 11:23:52 AM Subject: Re: [389-users] Not able to enable audit logs There is no error. It goes thru fine. When I restart the LDAP server after adding it, there is nothing in the audit file. And no entry in the dse.ldif. On 15 June 2015 at 13:39, German Parente gpare...@redhat.com wrote: Hi Prashant, it should work in the same way. Are you having an error doing your ldapmodify ? There's not a specific entry for nsslapd-auditlog-logging-enabled. nsslapd-auditlog-logging-enabled is an attribute of cn=config entry. You should be able to query it by this command: ldapsearch -xLLL -D cn=directory manager -W -b cn=config -s base nsslapd-auditlog-logging-enabled dn: cn=config nsslapd-auditlog-logging-enabled: on Regards, German. - Original Message - From: Prashant Bapat prash...@apigee.com To: 389-users 389-users@lists.fedoraproject.org Sent: Monday, June 15, 2015 9:56:48 AM Subject: [389-users] Not able to enable audit logs Hi, I have a setup of master-master replicated 389 DS installations as part of FreeIPA. This is the version of the 389-ds : 389-ds-base-1.3.3.8-1.fc21.x86_64 On 1st server, I was able to enable the audit logs using the following LDIF. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on However, the same LDIF when I run on the second server (which is the replicated master) the audit logs never get enabled. I'm not able to find the nsslapd-auditlog-logging-enabled entry under the dse.ldif . I have tried restarting etc but no luck. Is this normal ? Thanks. --Prashant -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Not able to enable audit logs
On 06/15/2015 05:23 AM, Prashant Bapat wrote: There is no error. It goes thru fine. When I restart the LDAP server after adding it, there is nothing in the audit file. And no entry in the dse.ldif. Are you directly modifying the dse.ldif? If so, you MUST do so while the server is stopped, otherwise the change is lost. The best way is to use ldapmodify: Example: # ldapmodify -D cn=directory manager -W -p PORT -h HOST dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on Enabling the audit log should log the change to enable it, so after making this update the audit log should not be empty (/var/log/dirsrv/slapd-INSTANCE/audit). Mark On 15 June 2015 at 13:39, German Parente gpare...@redhat.com mailto:gpare...@redhat.com wrote: Hi Prashant, it should work in the same way. Are you having an error doing your ldapmodify ? There's not a specific entry for nsslapd-auditlog-logging-enabled. nsslapd-auditlog-logging-enabled is an attribute of cn=config entry. You should be able to query it by this command: ldapsearch -xLLL -D cn=directory manager -W -b cn=config -s base nsslapd-auditlog-logging-enabled dn: cn=config nsslapd-auditlog-logging-enabled: on Regards, German. - Original Message - From: Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com To: 389-users 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org Sent: Monday, June 15, 2015 9:56:48 AM Subject: [389-users] Not able to enable audit logs Hi, I have a setup of master-master replicated 389 DS installations as part of FreeIPA. This is the version of the 389-ds : 389-ds-base-1.3.3.8-1.fc21.x86_64 On 1st server, I was able to enable the audit logs using the following LDIF. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on However, the same LDIF when I run on the second server (which is the replicated master) the audit logs never get enabled. I'm not able to find the nsslapd-auditlog-logging-enabled entry under the dse.ldif . I have tried restarting etc but no luck. Is this normal ? Thanks. --Prashant -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Not able to enable audit logs
Hi Prashant, it should work in the same way. Are you having an error doing your ldapmodify ? There's not a specific entry for nsslapd-auditlog-logging-enabled. nsslapd-auditlog-logging-enabled is an attribute of cn=config entry. You should be able to query it by this command: ldapsearch -xLLL -D cn=directory manager -W -b cn=config -s base nsslapd-auditlog-logging-enabled dn: cn=config nsslapd-auditlog-logging-enabled: on Regards, German. - Original Message - From: Prashant Bapat prash...@apigee.com To: 389-users 389-users@lists.fedoraproject.org Sent: Monday, June 15, 2015 9:56:48 AM Subject: [389-users] Not able to enable audit logs Hi, I have a setup of master-master replicated 389 DS installations as part of FreeIPA. This is the version of the 389-ds : 389-ds-base-1.3.3.8-1.fc21.x86_64 On 1st server, I was able to enable the audit logs using the following LDIF. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on However, the same LDIF when I run on the second server (which is the replicated master) the audit logs never get enabled. I'm not able to find the nsslapd-auditlog-logging-enabled entry under the dse.ldif . I have tried restarting etc but no luck. Is this normal ? Thanks. --Prashant -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users