Re: 389-ds access.log parsing - turning LDAP request type into an audit event

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks Rich,

Will do.

Regards

Burn 

On Mon, 2015-07-06 at 08:00 -0600, Rich Megginson wrote:
> On 07/03/2015 05:49 AM, Burn Alting wrote:
> > Has anyone authored code to parse a 389 Directory Server's access.log
> > file(s) with an aim of generating audit events based around the LDAP
> > request type. Basically, take the log sequence
> >
> >      [21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from
> > 207.1.153.51 to 192.18.122.139
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory
> > Manager" method=128 version=3
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97
> > nentries=0 etime=0
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH
> > base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101
> > nentries=1 etime=1000 notes=U
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
> >      [21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
> >
> > And turn this into an audit event with
> >
> > a date/time (21/Apr/2007:11:39:51 -0700), a client location
> > (207.1.153.51), server location (192.18.122.139), a user (cn=Directory
> > Manager), an event (SRCH) and event metadata of (query -
> > base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size
> > - 1, timetaken = 1000 sec, etc)
> >
> > The logconv.pl script seems to do all sorts of analysis, but no event
> > representation.
> 
> This sounds like a request for a new feature.  Would you be able to 
> write up a description of the new feature based on 
> http://www.port389.org/docs/389ds/design/design-template.html?  If so, I 
> will post it to the 389 wiki and assign a ticket.
> 
> >
> > Thanks in advance
> >
> > --
> > 389 users mailing list
> > 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux