Im looking for ways to pull a number of audit events from 389. Such as:
-User authentication success and failures.
-Group additions, removals and changes.
-User additions, removals and possibly changes.
Details in each of these would include items such as:
username
groupname
attribute changed
timestamp of event
action
Sending these out via syslog formatted messages is the preferred route.
I have not been able to find anything definitive in how to do this. Debug logs seem to lack much of this or contain far too much information making the prohibitive to use. They are also formatted in such a way making it extremely difficult to process in any practical way. For example, you would probably need a full LDIF interpreter to reformat them on the fly. I assume I either have not dug far enough or simply digging in the wrong direction.
Is anyone out there doing something similar and pulling the above data into a SIEM? If so would you be willing to share your experience on the topic or point me in the right direction?
Thanks!
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
