user authentication errors are usually recorded on the client end. On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen <hib0x13@xxxxxxxxx> wrote: > Im looking for ways to pull a number of audit events from 389. Such as: > > -User authentication success and failures. > -Group additions, removals and changes. > -User additions, removals and possibly changes. > > Details in each of these would include items such as: > > username > groupname > attribute changed > timestamp of event > action > > Sending these out via syslog formatted messages is the preferred route. > > I have not been able to find anything definitive in how to do this. Debug > logs seem to lack much of this or contain far too much information making > the prohibitive to use. They are also formatted in such a way making it > extremely difficult to process in any practical way. For example, you would > probably need a full LDIF interpreter to reformat them on the fly. I assume > I either have not dug far enough or simply digging in the wrong direction. > > Is anyone out there doing something similar and pulling the above data into > a SIEM? If so would you be willing to share your experience on the topic or > point me in the right direction? > > Thanks! > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
