If MMR - perhaps via log consolidation - e.g. ELK stack (grok filter)? Similar to https://discuss.elastic.co/t/how-filter-openldap-logs/2492. ________________________________________ From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] on behalf of Burn Alting [burn@xxxxxxxxxxxxxxx] Sent: Friday, July 03, 2015 04:49 To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx Subject: 389-ds access.log parsing - turning LDAP request type into an audit event Has anyone authored code to parse a 389 Directory Server's access.log file(s) with an aim of generating audit events based around the LDAP request type. Basically, take the log sequence [21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 [21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)" [21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=1000 notes=U [21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND [21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1 And turn this into an audit event with a date/time (21/Apr/2007:11:39:51 -0700), a client location (207.1.153.51), server location (192.18.122.139), a user (cn=Directory Manager), an event (SRCH) and event metadata of (query - base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size - 1, timetaken = 1000 sec, etc) The logconv.pl script seems to do all sorts of analysis, but no event representation. Thanks in advance -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
