BurnA's questions -server

BurnA

Asked: 2015-07-04 03:50:20 +0800 CST

389DS Access.log parsing - turning LDAP request type into an audit event

Has anyone authored code to parse a 389 Directory Server's access.log file with an aim of generating audit events based around the LDAP request type. Bascially, take the log sequence

[21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=1000 notes=U
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1

And turn this into an audit event with

a date/time (21/Apr/2007:11:39:51 -0700), a client location (207.1.153.51), server location (192.18.122.139), a user (cn=Directory Manager), an event (SRCH) and event metadata of (query - base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set size - 1, timetaken = 1000 sec, etc)

The logconv.pl script seems to do all sorts of analysis, but no event representation.

Thanks in advance

389DS Access.log parsing - turning LDAP request type into an audit event

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?