On 07/03/2015 05:49 AM, Burn Alting wrote:
Has anyone authored code to parse a 389 Directory Server's
access.log
file(s) with an aim of generating audit events based around the LDAP
request type. Basically, take the log sequence
[21/Apr/2007:11:39:51 -0700] conn=11 fd=608 slot=608 connection from
207.1.153.51 to 192.18.122.139
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[21/Apr/2007:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97
nentries=0 etime=0
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 SRCH
base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
[21/Apr/2007:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101
nentries=1 etime=1000 notes=U
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2007:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
And turn this into an audit event with
a date/time (21/Apr/2007:11:39:51 -0700), a client location
(207.1.153.51), server location (192.18.122.139), a user (cn=Directory
Manager), an event (SRCH) and event metadata of (query -
base="dc=example,dc=com" scope=2 filter="(uid=bjensen)", result set
size
- 1, timetaken = 1000 sec, etc)
The logconv.pl script seems to do all sorts of analysis, but no event
representation.
This sounds like a request for a new feature. Would you be able to
write up a description of the new feature based on
http://www.port389.org/docs/389ds/design/design-template.html? If so, I
will post it to the 389 wiki and assign a ticket.
Thanks in advance
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users