[389-users] 389-ds access.log parsing - turning LDAP request type into an audit event
Burn Alting
burn at swtf.dyndns.org
Fri Jul 3 11:49:37 UTC 2015
Has anyone authored code to parse a 389 Directory Server's access.log
file(s) with an aim of generating audit events based around the LDAP
request type. Basically, take the log sequence
[21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from
207.1.153.51 to 192.18.122.139
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97
nentries=0 etime=0
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH
base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101
nentries=1 etime=1000 notes=U
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
And turn this into an audit event with
a date/time (21/Apr/2007:11:39:51 -0700), a client location
(207.1.153.51), server location (192.18.122.139), a user (cn=Directory
Manager), an event (SRCH) and event metadata of (query -
base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size
- 1, timetaken = 1000 sec, etc)
The logconv.pl script seems to do all sorts of analysis, but no event
representation.
Thanks in advance
More information about the 389-users
mailing list