Im looking for ways to pull a number of audit events from 389. Such as:
-User authentication success and failures. -Group additions, removals and changes. -User additions, removals and possibly changes.
Details in each of these would include items such as:
username groupname attribute changed timestamp of event action
Sending these out via syslog formatted messages is the preferred route.
I have not been able to find anything definitive in how to do this. Debug logs seem to lack much of this or contain far too much information making the prohibitive to use. They are also formatted in such a way making it extremely difficult to process in any practical way. For example, you would probably need a full LDIF interpreter to reformat them on the fly. I assume I either have not dug far enough or simply digging in the wrong direction.
Is anyone out there doing something similar and pulling the above data into a SIEM? If so would you be willing to share your experience on the topic or point me in the right direction?
Thanks!
user authentication errors are usually recorded on the client end.
On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen hib0x13@gmail.com wrote:
Im looking for ways to pull a number of audit events from 389. Such as:
-User authentication success and failures. -Group additions, removals and changes. -User additions, removals and possibly changes.
Details in each of these would include items such as:
username groupname attribute changed timestamp of event action
Sending these out via syslog formatted messages is the preferred route.
I have not been able to find anything definitive in how to do this. Debug logs seem to lack much of this or contain far too much information making the prohibitive to use. They are also formatted in such a way making it extremely difficult to process in any practical way. For example, you would probably need a full LDIF interpreter to reformat them on the fly. I assume I either have not dug far enough or simply digging in the wrong direction.
Is anyone out there doing something similar and pulling the above data into a SIEM? If so would you be willing to share your experience on the topic or point me in the right direction?
Thanks!
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Have you looked at the audit logs ?
Use the below ldif to enable them.
dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on
This will write to 'audit' file in the same dir as 'access' and 'errors' log file.
On 14 October 2016 at 02:20, Paul Robert Marino prmarino1@gmail.com wrote:
user authentication errors are usually recorded on the client end.
On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen hib0x13@gmail.com wrote:
Im looking for ways to pull a number of audit events from 389. Such as:
-User authentication success and failures. -Group additions, removals and changes. -User additions, removals and possibly changes.
Details in each of these would include items such as:
username groupname attribute changed timestamp of event action
Sending these out via syslog formatted messages is the preferred route.
I have not been able to find anything definitive in how to do this. Debug logs seem to lack much of this or contain far too much information making the prohibitive to use. They are also formatted in such a way making it extremely difficult to process in any practical way. For example, you
would
probably need a full LDIF interpreter to reformat them on the fly. I
assume
I either have not dug far enough or simply digging in the wrong
direction.
Is anyone out there doing something similar and pulling the above data
into
a SIEM? If so would you be willing to share your experience on the topic
or
point me in the right direction?
Thanks!
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
389-users@lists.fedoraproject.org
-
Jason Nielsen -
Paul Robert Marino -
Prashant Bapat