Skip to content

[New Package] Add FreeIPA integration#17812

Open
Oddly wants to merge 7 commits intoelastic:mainfrom
Oddly:add-freeipa
Open

[New Package] Add FreeIPA integration#17812
Oddly wants to merge 7 commits intoelastic:mainfrom
Oddly:add-freeipa

Conversation

@Oddly
Copy link
Copy Markdown
Contributor

@Oddly Oddly commented Mar 14, 2026
edited
Loading

Summary

Initial release of the FreeIPA (Red Hat IdM) integration. Collects security-relevant logs from five FreeIPA subsystems using filestream input: Kerberos KDC authentication events, 389 Directory Server access and error logs, Dogtag CA signed audit events, and IPA JSON API operations. Includes five ES|QL alerting rule templates that activate on Stack 9.2+, three optional transforms for cross-event LDAP correlation, and comprehensive ECS field mappings including x509 certificate fields and rule.name for policy objects. Dashboards will follow in a separate PR.

Changes

  • Five data streams: kdc, directory_access, directory_errors, ca_audit, ipa_api
  • Ingest pipelines with full ECS mapping, GeoIP enrichment on source IPs, and tagged processors throughout
  • KDC pipeline handles AS_REQ/TGS_REQ with constrained delegation (S4U2Proxy) support, maps to source.user/user.target for delegation events
  • Directory access pipeline parses all LDAP operation types (BIND, SRCH, MOD, ADD, DEL, CMP, EXT, MODRDN, ABANDON, conn=Internal) with wtime/optime/etime extraction and unindexed search detection
  • CA audit pipeline parses Dogtag signed audit log with certificate lifecycle tracking, CRL metrics (crl_number/crl_size), and ECS x509 field mapping (file.x509.serial_number, subject/issuer distinguished_name)
  • IPA API pipeline extracts target entities and maps to ECS fields per command family: user.target.name, group.name, host.name, rule.name (sudorule/hbacrule), related.hosts (DNS/service), with per-family event.category refinement
  • Five alerting rule templates: replication errors, unindexed LDAP searches, LDAP high latency, API error spike, CA connection failures
  • Three optional transforms (latest_bind, latest_connection, latest_auth) with lookup-mode destination indices for ES|QL LOOKUP JOIN enrichment in detection rules
  • 100% pipeline branch coverage across all data streams, zero dead paths

Testing

  • Deployed on two FreeIPA 4.11 servers (Rocky Linux 9, primary + replica) with Elastic Agent 8.19 enrolled via Fleet
  • All five data streams confirmed receiving live data (589 KDC events, 11k directory access, 1.6k directory errors, 564 CA audit, 73 IPA API)
  • All defined fields populated with correct types in indexed data — zero type mismatches, zero missing fields
  • All five alerting rule ES|QL queries executed against live data and returned correct results:
    • Replication errors: triggered with synthetic replication bind failures
    • Unindexed searches: triggered by searching on non-indexed attributes (roomNumber, carLicense)
    • LDAP high latency: query valid, correctly silent on healthy system (p95 = 7ms vs 5s threshold)
    • API error spike: triggered with user_show calls for nonexistent users
    • CA connection failures: caught 48 real ConnectException events from CA startup
  • 24 of 27 detection rules confirmed firing against live data, 0 false positives
  • Pipeline tests pass 18/18 for all data streams covering all operation types and edge cases
  • elastic-package check passes (lint + build), full_review passes with 0 errors/0 warnings

@Oddly Oddly requested a review from a team as a code owner March 14, 2026 09:36
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Mar 14, 2026

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

Oddly added a commit to Oddly/integrations that referenced this pull request Mar 14, 2026
@Oddly
Update changelog PR link to elastic#17812
36e8511
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package. labels Mar 15, 2026
@Oddly
[New Package] Add FreeIPA integration
d0ac384 
Adds a new integration for FreeIPA identity management servers with 5 data
streams: KDC authentication, 389DS directory access, directory errors, Dogtag
CA audit, and IPA API operations. Uses the filestream input to tail log files.

Includes five alerting rule templates, two optional Elasticsearch transforms
for cross-event enrichment (connection-to-IP and bind-to-user correlation,
shipped inactive), ingest pipelines with full ECS and SIEM field mapping
(event categorization, observer metadata, GeoIP), and pipeline tests validated
against Elasticsearch 9.3.1 with both synthetic and real-log test data from a
live FreeIPA deployment.
@Oddly Oddly mentioned this pull request Mar 28, 2026
Draft
@Oddly
Improve FreeIPA integration from detection rule testing
e5ab704 
Changes from testing all 16 detection rules against a live FreeIPA
4.12.2 environment with Elastic Agent 9.3.2:

Pipeline improvements:
- Extract bind_dn and user.name from bind RESULT events (tag=97)
- Extract CN from certificate SubjectID for user.name instead of full DN
- Handle list-format arguments in ipa_api target entity grok
- Add event.outcome to directory_errors sample event

Container compatibility:
- Enable prospector.scanner.symlinks on all 5 filestream inputs for
  FreeIPA containers that symlink /var/log paths to /data/var/log

Documentation:
- Clarify that debug=True is optional for IPA API logging
- Regenerate published README from build template

Test quality:
- Enable deterministic timestamp validation for directory_access,
  directory_errors, and ca_audit pipeline tests
- Regenerate expected test output for all pipeline changes

All 18 pipeline tests pass. Lint and build pass.
@Oddly
Fix README structure and directory_access sample event
6114cdb 
Remove duplicate Transforms section that appeared after the Data
Streams. Move alert rule template descriptions from the second
Transforms section to the Alert rule templates section where they
belong.

Replace the directory_access sample event from a bare RESULT with
empty related fields to a BIND event showing user context (bind_dn,
bind_method, user.name, related.user).
macroscopeapp[bot]
macroscopeapp bot reviewed Apr 1, 2026
View reviewed changes
@Oddly
Expand FreeIPA pipeline coverage and ECS field mappings
e5ce459 
Pipeline coverage: add conn=Internal handling for directory_access,
extract wtime/optime from RESULT lines, extract CRLNum/CRLSize from
CA audit events, and broaden CA event type mappings to cover CONFIG_*,
AUDIT_LOG_*, KEY_RECOVERY_*, and OCSP_* event families.

ECS enrichments: map CA audit certificate fields to file.x509
(serial_number, subject.distinguished_name, issuer.distinguished_name),
add rule.name for sudorule/hbacrule IPA API commands, populate
related.hosts for DNS and service commands, and refine event.category
for DNS (iam+network), cert (iam+authentication), and service
(iam+configuration) command families.

Test events added for A1/T1 disconnect reasons, Internal connection
SRCH/RESULT, DELTA_CRL_GENERATION, AUDIT_LOG_SHUTDOWN, CONFIG_CRL,
and KEY_RECOVERY_REQUEST.
Oddly added 3 commits April 1, 2026 14:26
@Oddly
Fix pipeline grok failures and complete ECS field coverage
e47db26 
The directory_access pipeline was failing on TLS connection info lines (1283
grok errors) and directory_errors on tab-continuation lines (8 errors). TLS
lines are now parsed into tls.version, tls.cipher, and tls.client.x509.*
fields instead of being dropped, and continuation lines are dropped before
the grok stage.

All five pipelines now set service.type, and the three client-facing streams
(kdc, directory_access, ipa_api) populate client.ip, network.protocol, and
network.transport. The directory_access pipeline derives destination.port
from the SSL flag and mirrors destination.ip to server.ip. The ipa_api
pipeline sets http.request.method and url.path. The ca_audit pipeline maps
server_host and server_port to destination.ip/port and filters the anonymous
SubjectID "--" from user.name. The directory_errors pipeline maps the
replication LDAP error code to error.code.
@Oddly
Fix review feedback: transform unique_key and sample event
8c8665a 
Remove operation_id from the latest_bind transform unique_key so LOOKUP JOIN
queries from any operation on a connection can resolve the BIND identity, not
just the BIND operation itself.

Regenerate the KDC sample event from a real pipeline simulation. The previous
sample had contradictory fields: a success outcome with error_code and
event.reason set, and both user.* and source.user.* populated when the
pipeline renames one to the other for S4U events.
@Oddly
Regenerate all sample events from pipeline simulation
35f3706 
Every sample event was hand-crafted and had issues: directory_access mixed
fields from 6 different operation types into one document, ipa_api had wrong
duration units and fields from unrelated commands, ca_audit was stuffed with
fields from multiple event types, and directory_errors had outcome/type
contradicting its log level. All four are now generated by running a
representative raw log line through the current pipeline.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Oddly @andrewkroh