Has anyone authored code to parse a 389 Directory Server's access.log file with an aim of generating audit events based around the LDAP request type. Bascially, take the log sequence
[21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=1000 notes=U
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
And turn this into an audit event with
a date/time (21/Apr/2007:11:39:51 -0700), a client location (207.1.153.51), server location (192.18.122.139), a user (cn=Directory Manager), an event (SRCH) and event metadata of (query - base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size - 1, timetaken = 1000 sec, etc)
The logconv.pl script seems to do all sorts of analysis, but no event representation.
Thanks in advance
I had a similar use case to yours, but couldn't find anything that already existed. I then came across this 389ds page which describes an outline of what a script like this would produce. The proposed solution was to include this functionality in future versions of logconv.pl.
For the time being, I ended up writing a simple program that follows this design. I've been using it in production on a number of 389ds servers outputting the JSON results to an ELK stack using log-courier.
Hope this is helpful to you.