I have a ldap (helm chart) running 389ds container under the hood.
I noticed that in the chart, there's this folder: docker-entrypoint-init.d/ which contains bunch of numbered shell scripts. Example: 1-logging.sh, 2-somename.sh, 3-othername.sh, ... so on.
Helm chart successfully installs and runs 389ds LDAP server i.e. pod is RUNNING (green).
1-logging.sh file contains, the following lines: (seems like it's creating some pipe and then redirecting the pipe output to /dev/{stdout,stderror}).
# Activate fifo pipes
log_info "Activating stdout pipe"
cat <> /tmp/stdout-fifo > /dev/stdout &
log_info "Activating stderr pipe"
cat <> /tmp/stderr-fifo > /dev/stderr &
Question 1: What exactly is this line cat <> /tmp/stdout-fifo > /dev/stdout doing here?
I'm able to successfully run ldapmodify command to change a user's password (viewing pod's log data within in Rancher UI > Workloads > pods > ldap-0 pod > View Logs shows me the pod's log as it grows, and there are entries related to the ldapmodify operation i.e. reflecting something changed in ldap database for that target user).
For any other operation like access, error, I see the corresponding file has a valid size and contains some log data. LDAP settings for audit and access/error are similar (as per the URL shown below).
I also noticed, the contents of access file do not fully contain/grows exactly like what I see, when I see the logs using View Logs (at the pod level in Rancher).
LDAP settings for creating / specifying output files for access, error and audit are defined here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_auditlog_Audit_Log
and in my case, I see:
# cat -n /var/lib/dirsrv/etc/slapd-dir/dse.ldif|grep audit
28 nsslapd-auditlog: /tmp/stdout-fifo <-- audit log file
29 nsslapd-auditfaillog: /var/log/dirsrv/slapd-dir/audit <-- audit-fail log file
78 nsslapd-auditlog-mode: 640
79 nsslapd-auditlog-maxlogsperdir: 1
80 nsslapd-auditlog-logrotationtime: -1
81 nsslapd-auditlog-logrotationtimeunit: day
82 nsslapd-auditlog-logmaxdiskspace: 500
83 nsslapd-auditlog-logminfreediskspace: 200
84 nsslapd-auditlog-logging-enabled: on <-- audit logging turned ON
Looking at the above configuration, I see that ldap is creating 3 files (access, error and audit) under it's log directory, BUT, the audit FAIL-LOG file is EMPTY blank = 0 bytes, possibly because there are NO real errors while running ldapmodify / audit related operations:
# ls -l /var/log/dirsrv/slapd-dir | grep -v rotat
total 192
-rw-r-----. 1 ldapuser ldap 157028 Mar 20 21:32 access
-rw-r-----. 1 ldapuser ldap 0 Mar 20 21:30 audit <--------- 0 bytes
-rw-r-----. 1 ldapuser ldap 22935 Mar 20 21:32 errors
Question 2: What can I change in the nsslapd-audit configurations above, so that I can have both LDAP audit "successful and failed" events in the same /var/log/dirsrv/slapd-dir/audit file, without impacting/touching the /tmp/stdout-fifo used by nsslapd-auditlog: entry.
Question 2 answer:
Added:
nsslapd-auditfaillog: /tmp/stdout-fifo
nsslapd-auditfaillog-logging-enabled: on
... more nssldapd-auditfaillog-* settings here...
NOTE: If you don't specify nsslapd-auditfaillog entry at all, then as per the documentation (settings) mentioned in the following URL, failed ldap audit logs/operations (i.e. auditfaillog) will automatically go to the same file (defined by auditlog entry). I did specify all the other settings for nsslapd-auditfaillog-*
NOTE: In my case, I went with the FIFO file for both audit and failed audit operations. But if you want a regular file (rather than a FIFO), then instead of using /tmp/stdout-fifo file, specify the file value as /var/log/dirsrv/slapd-dir/audit for both auditlog and auditfaillog setting and 389ds will send all audit (successful and failed data) to a single file.
Later we can FluentD/Fluent-Bit to slurp it, parse it and sent it to some target output (Elastic index etc).