-User authentication success and failures.

-Group additions, removals and changes.

-User additions, removals and possibly changes.

Details in each of these would include items such as:

username

groupname

attribute changed

timestamp of event

action

Sending these out via syslog formatted messages is the preferred route.

I have not been able to find anything definitive in how to do this. Debug logs seem to lack much of this or contain far too much information making the prohibitive to use. They are also formatted in such a way making it extremely difficult to process in any practical way. For example, you would probably need a full LDIF interpreter to reformat them on the fly. I assume I either have not dug far enough or simply digging in the wrong direction.

Is anyone out there doing something similar and pulling the above data into a SIEM? If so would you be willing to share your experience on the topic or point me in the right direction?

Thanks!