Trying to execute the script on FreeIPA server running on CentOS 7.4:

./ipa_log_config.py --target 192.168.1.1

Setting SSSD debug level to 2
Condrestarting SSSD
Enabling audisp syslog plugin
sed: can't read /etc/audisp/plugins.d/syslog.conf: No such file or directory
Failed to execute external command: Failed to run sed on file: /etc/audisp/plugins.d/syslog.conf

Installing audit and audispd-plugins did not help, but the problem was with starting audit, I did not investigate it further. Instead I removed the stuff related to audit from the script and it worked.

CentOS 7.6.1810

# ./ipa_log_config.py --target syslog
Setting SSSD debug level to 2
Condrestarting SSSD
Enabling audisp syslog plugin
Reloading auditd
Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.
See system logs and 'systemctl status auditd.service' for details.
Failed to execute external command: Failed to reload auditd

Workaround: remove self._restart from auditd portion of the code.

+++ ipa_log_config-new.py	2019-04-11 07:05:16.489209718 -0400
@@ -123,7 +123,7 @@
                 self._AUDITD_SYSLOG_CONF]) != 0:
             raise ExternalCommandError(
                 'Failed to run sed on file: ' + self._AUDITD_SYSLOG_CONF)
-        self._restart()
+        # self._restart()
 
     def revert(self):
         print 'Disabling audisp syslog plugin'
@@ -131,7 +131,7 @@
                 self._AUDITD_SYSLOG_CONF]) != 0:
             raise ExternalCommandError(
                 'Failed to run sed on file: ' + self._AUDITD_SYSLOG_CONF)
-        self._restart()
+        # self._restart()
 
 
 class RequirementError(Exception):

Fails on Fedora 26 (system default Python 2.7.13):

[root@fedora26 ~]# python --version
Python 2.7.13
[root@fedora26 ~]# ipa-log-config/ipa_log_config.py
Traceback (most recent call last):
  File "ipa-log-config/ipa_log_config.py", line 28, in 
    from SSSDConfig import SSSDConfig
ImportError: No module named SSSDConfig

Workaround:

dnf install python2-sssdconfig

The command gives an error.
./ipa_log_config.py --revert
Setting SSSD debug level to 1
Condrestarting SSSD
Disabling audisp syslog plugin
Reloading auditd
Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.
See system logs and 'systemctl status auditd.service' for details.
Failed to execute external command: Failed to reload auditd
to solve simply change the line:
line 117 to
if call(['/usr/sbin/service','auditd', 'reload']) != 0:

Hi there.. I'm trying to search for user logins using the searches / dashboards set up for showing user logins, but I notice that the action field is not making it into elasticsearch. I'm not sure where that field should be getting introduced, but I think possibly it is as part of the normalize rules for the audit log. I don't fully understand how that turns into fields that end up being turned into the $!all-json variable used by the omelasticsearch module. In either case -- the search and dashboard aren't working, I believe because they required the action field to be identified and they never are. I definitely see messages if I search for type=USER_LOGIN. Any help would be appreciated.

  File "/ipa-log-config/ipa_log_config.py", line 74
    print 'Condrestarting SSSD'
          ^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print('Condrestarting SSSD')?

FreeIPA4 running off of Fedora33 - I suspect it might be down to Python2 being deprecated?

After trying to add parentheses there also appears to be an issue with audisp not existing in /etc/ anymore.

It would be nice if the script could generate configuration for syslog server running over UDP.

Some users asked for SUDO logs to be also directed to the Centralized Logging. This might go in the same Dashboard as Client Logins.