Re: 389-ds access.log parsing - turning LDAP request type into an audit event

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, 2015-07-06 at 08:00 -0600, Rich Megginson wrote:
On 07/03/2015 05:49 AM, Burn Alting wrote:
> Has anyone authored code to parse a 389 Directory Server's access.log
> file(s) with an aim of generating audit events based around the LDAP
> request type. Basically, take the log sequence
>      [21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from
> to
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory
> Manager" method=128 version=3
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97
> nentries=0 etime=0
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH
> base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101
> nentries=1 etime=1000 notes=U
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
>      [21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
> And turn this into an audit event with
> a date/time (21/Apr/2007:11:39:51 -0700), a client location
> (, server location (, a user (cn=Directory
> Manager), an event (SRCH) and event metadata of (query -
> base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size
> - 1, timetaken = 1000 sec, etc)
> The script seems to do all sorts of analysis, but no event
> representation.

This sounds like a request for a new feature.  Would you be able to 
write up a description of the new feature based on  If so, I 
will post it to the 389 wiki and assign a ticket.


Find the write up below.


Burn Alting

Parse audit-able events from 389/directory server access logs

A utility is required to parse 389/directory server access logs whose
output is a well defined record (event) of the LDAP request and any resultant
responses. Each event would contain the initiating host address and the
current authenticated DN to make subsequent entity access analysis more efficient.

In essence, generate a single event for every operation (common op=) performed
for a unique connection. The events need to be well formed and consideration given
to further downstream parsing. As the access log records are well documented,
the output event should minimize changes to the content (if changed at all).

The utility would need to support time based queries. That is, generate
events between a given start and end time. Note that if the connection
and authentication occurs BEFORE the given start time, this detail
still needs to decorate the event output.

The utility would need to indicate if the authenticated DN or initiating
client could not be ascertained. That is, the information is NOT in the
file(s) processed.

Optionally can ignore internal operations.

Use Cases

The following cases show a logfile extract and resultant parsed output.
The output is in XML. Other well formed and parsable output could be
chosen (eg json) - the intent is that downstream capability needs to
parse the information.


[21/Apr/2009:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
[21/Apr/2009:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2009:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2009:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(mobile=+1 123 456-7890)"
[21/Apr/2009:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U
[21/Apr/2009:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2009:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1

Resultant sub-extract and Event output:

[21/Apr/2009:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
[21/Apr/2009:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2009:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
  <DateTime>21/Apr/2009:11:39:51 -0700</DateTime>
  <AuthenticatedDN>cn=Directory Manager</AuthenticatedDN>
    <Request>BIND dn=&quot;cn=Directory Manager&quot; method=128 version=3</Request>
    <Response>RESULT err=0 tag=97 nentries=0 etime=0</Response>

[21/Apr/2009:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(mobile=+1 123 456-7890)"
[21/Apr/2009:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U
  <DateTime>21/Apr/2009:11:39:51 -0700</DateTime>
  <AuthenticatedDN>cn=Directory Manager</AuthenticatedDN>
   <Request>SRCH base=&quot;dc=example,dc=com&quot; scope=2 filter=&quot;(mobile=+1 123 456-7890)&quot;</Request>
    <Response>RESULT err=0 tag=101 nentries=1 etime=3 notes=U</Response>

[21/Apr/2009:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2009:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
  <DateTime>21/Apr/2009:11:39:51 -0700</DateTime>
  <AuthenticatedDN>cn=Directory Manager</AuthenticatedDN>
    <Response>fd=608 closed - U1</Response>


[07/May/2009:11:43:28 -0700] conn=877 fd=608 slot=608 connection from to
[07/May/2009:11:43:28 -0700] conn=877 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[07/May/2009:11:43:28 -0700] conn=877 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[07/May/2009:11:43:29 -0700] conn=877 op=1 SRCH base="(ou=People)" scope=2 filter="(uid=*)"
[07/May/2009:11:43:29 -0700] conn=877 op=1 SORT uid
[07/May/2009:11:43:29 -0700] conn=877 op=1 VLV 0:5:0210 10:5397 (0)
[07/May/2009:11:43:29 -0700] conn=877 op=1 RESULT err=0 tag=101 nentries=1 etime=0

Resultant sub-extract and Event output:

[07/May/2009:11:43:28 -0700] conn=877 fd=608 slot=608 connection from to
[07/May/2009:11:43:28 -0700] conn=877 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[07/May/2009:11:43:28 -0700] conn=877 op=0 RESULT err=0 tag=97 nentries=0 etime=0
  <DateTime>07/May/2009:11:43:28 -0700</DateTime>
  <AuthenticatedDN>cn=Directory Manager</AuthenticatedDN>
    <Request>BIND dn=&quot;cn=Directory Manager&quot; method=128 version=3</Request>
    <Response>RESULT err=0 tag=97 nentries=0 etime=0</Response>

[07/May/2009:11:43:29 -0700] conn=877 op=1 SRCH base="(ou=People)" scope=2 filter="(uid=*)"
[07/May/2009:11:43:29 -0700] conn=877 op=1 SORT uid
[07/May/2009:11:43:29 -0700] conn=877 op=1 VLV 0:5:0210 10:5397 (0)
[07/May/2009:11:43:29 -0700] conn=877 op=1 RESULT err=0 tag=101 nentries=1 etime=0
  <DateTime>07/May/2009:11:43:29 -0700</DateTime>
  <AuthenticatedDN>cn=Directory Manager</AuthenticatedDN>
    <Request>SRCH base=&quot;(ou=People)&quot; scope=2 filter=&quot;(uid=*)&quot;</Request>
    <Request>SORT uid</Request>
    <Request>VLV 0:5:0210 10:5397 (0)</Request>
    <Response>RESULT err=0 tag=101 nentries=1 etime=0</Response>

[21/Apr/2009:11:39:55 -0700] conn=14 fd=700 slot=700 connection from to
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Apr/2009:11:39:55 -0700] conn=14 op=1 BIND dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2009:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"

Resultant sub-extract and Event output:
[21/Apr/2009:11:39:55 -0700] conn=14 fd=700 slot=700 connection from to
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  <DateTime>21/Apr/2009:11:39:53 -0700</DateTime>
    <Request>BIND dn=&quot;&quot; method=sasl version=3 mech=DIGEST-MD5</Request>
    <Response>RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress</Response>

[21/Apr/2009:11:39:55 -0700] conn=14 op=1 BIND dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2009:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"
  <DateTime>21/Apr/2009:11:39:55 -0700</DateTime>
    <Request>BIND dn=&quot;uid=jdoe,dc=example,dc=com&quot; method=sasl version=3 mech=DIGEST-MD5</Request>
    <Response>RESULT err=0 tag=97 nentries=0 etime=0 dn=&quot;uid=jdoe,dc=example,dc=com&quot;</Response>


[02/Sep/2014:11:05:56 -0400] conn=35 op=1 fd=64 closed - U1
[02/Sep/2014:11:05:56 -0400] conn=36 fd=64 slot=64 connection from to
[02/Sep/2014:11:05:56 -0400] conn=36 op=0 BIND dn="" method=128 version=3
[02/Sep/2014:11:05:56 -0400] conn=36 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[02/Sep/2014:11:05:56 -0400] conn=36 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=scarter)" attrs="c"
[02/Sep/2014:11:05:56 -0400] conn=36 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[02/Sep/2014:11:05:56 -0400] conn=36 op=2 BIND dn="uid=scarter,ou=people,dc=example,dc=com" method=128 version=3
[02/Sep/2014:11:05:56 -0400] conn=36 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=scarter,ou=people,dc=example,dc=com"
[02/Sep/2014:11:05:56 -0400] conn=36 op=3 UNBIND
[02/Sep/2014:11:05:56 -0400] conn=36 op=3 fd=64 closed - U1

Resultant sub-extract and Event output:
[02/Sep/2014:11:05:56 -0400] conn=36 fd=64 slot=64 connection from to
[02/Sep/2014:11:05:56 -0400] conn=36 op=0 BIND dn="" method=128 version=3
[02/Sep/2014:11:05:56 -0400] conn=36 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
  <DateTime>02/Sep/2014:11:05:56 -0400</DateTime>
    <Request>BIND dn=&quot;&quot; method=128 version=3</Request>
    <Response>RESULT err=0 tag=97 nentries=0 etime=0 dn=&quot;&quot;</Response>

[02/Sep/2014:11:05:56 -0400] conn=36 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=scarter)" attrs="c"
[02/Sep/2014:11:05:56 -0400] conn=36 op=1 RESULT err=0 tag=101 nentries=1 etime=0
  <DateTime>02/Sep/2014:11:05:56 -0400</DateTime>
    <Request>SRCH base=&quot;dc=example,dc=com&quot; scope=2 filter=&quot;(uid=scarter)&quot; attrs=&quot;c&quot;</Request>
    <Response>RESULT err=0 tag=101 nentries=1 etime=0</Response>

[02/Sep/2014:11:05:56 -0400] conn=36 op=2 BIND dn="uid=scarter,ou=people,dc=example,dc=com" method=128 version=3
[02/Sep/2014:11:05:56 -0400] conn=36 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=scarter,ou=people,dc=example,dc=com"
  <DateTime>02/Sep/2014:11:05:56 -0400</DateTime>
    <Request>BIND dn=&quot;uid=scarter,ou=people,dc=example,dc=com&quot; method=128 version=3</Request>
    <Response>RESULT err=0 tag=97 nentries=0 etime=0 dn=&quot;uid=scarter,ou=people,dc=example,dc=com&quot;</Response>

[02/Sep/2014:11:05:56 -0400] conn=36 op=3 UNBIND
[02/Sep/2014:11:05:56 -0400] conn=36 op=3 fd=64 closed - U1
  <DateTime>02/Sep/2014:11:05:56 -0400</DateTime>
    <Response>fd=64 closed - U1</Response>

Assuming an extension to the script

New options:
-A, --audit <ignoreinternal=yes|no>
        Default: yes
Generate well formed events of operations found in the access log(s).
Events will contain the identified connected client address and
        authenticated DN performing the operation. Internal operations,
if logged, will be ignored by default. Specify no to emit events
for internal operations.

Logic flow:
for every "active" connection (ie not closed) maintain a list of client, server and current authenticated DN.
for every operation for which we have an "active" connection, emit an event at the close of the operation.

Extend the command as it contains existing access log file management.

389 users mailing list

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux