Red Hat Summit5.2. Viewing the IdM API audit logs
You can view the IdM API audit logs and details of a specific entry by querying the systemd journal. This procedure shows how to identify and display logs of a user deletion using the IdM API.
Prerequisites
- You have root access to the IdM server.
Procedure
To see a list of all IdM API operations recorded in the journal, filter the journal for the
IPA.APImarker:# journalctl -g IPA.API May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"} May 23 10:32:01 idmserver.idm.example.com /usr/bin/ipa[247555]: [IPA.API] admin@IDM.EXAMPLE.COM: user_add: SUCCESS [ldap2_140328582446999] {"uid": ["new_user"], "givenname": "New", "sn": "User", "cn": "New User"} May 23 10:33:10 idmserver.idm.example.com /mod_wsgi[247035]: [IPA.API] admin@IDM.EXAMPLE.COM: ping: SUCCESS [ldap2_139910420944784] {"version": "2.253"} May 23 10:34:05 idmserver.idm.example.com /usr/bin/ipa[247888]: [IPA.API] [autobind]: group_add_member: SUCCESS [ldap2_140328582447111] {"cn": "admins", "user": "new_user"}The output shows a summary of each API call, including the user, the command, the result, the unique connection ID, and the parameters used.
-
Identify the unique identifier for the specific entry you want to inspect. For example, the
user_delcall has the LDAP backend instance identifierldap2_140328582446688. Use
journalctlwith the-xoption and the unique identifier value to get a detailed explanation of the user deletion log entry:# journalctl -x -g ldap2_140328582446688 May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[255232]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"} -- Subject: IdM API command was executed and result of its execution was audited -- Defined-by: FreeIPA -- Support: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/ -- Documentation: man:ipa(1) -- Documentation: https://freeipa.readthedocs.io/en/latest/api/index.html -- Documentation: https://freeipa.readthedocs.io/en/latest/api/user_del.html -- Identity Management provides an extensive API that allows to manage all aspects of IdM deployments. -- The following information about the API command executed is available: -- [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"} -- The command was executed by '/usr/bin/ipa' utility. If the utility name -- is '/mod_wsgi`, then this API command came from a remote source through the IdM -- API end-point. -- The message includes following fields: -- - executable name and PID ('/mod_wsgi' for HTTP end-point; in this case it -- was '/usr/bin/ipa' command) -- - '[IPA.API]' marker to allow searches with 'journalctl -g IPA.API' -- - authenticated Kerberos principal or '[autobind]' marker for LDAPI-based -- access as root. In this case it was '[autobind]' -- - name of the command executed, in this case 'user_del' -- - result of execution: SUCCESS or an exception name. In this case it was -- 'SUCCESS' -- - LDAP backend instance identifier. The identifier will be the same for all -- operations performed under the same request. This allows to identify operations -- which were executed as a part of the same API request instance. For API -- operations that didn't result in LDAP access, there will be -- '[no_connection_id]' marker. -- - finally, a list of arguments and options passed to the command is provided -- in JSON format. -- --------- -- The following list of arguments and options were passed to the command -- 'user_del' by the '[autobind]' actor: -- -- {"uid": ["example_user"], "continue": false, "version": "2.253"} -- --------- -- A detailed information about Identity Management API can be found at upstream documentation API reference: -- https://freeipa.readthedocs.io/en/latest/api/index.html -- For details on the IdM API command 'user_del' see -- https://freeipa.readthedocs.io/en/latest/api/user_del.html
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}