1SLAPO-ACCESSLOG(5) File Formats Manual SLAPO-ACCESSLOG(5)
2
6 slapo-accesslog - Access Logging overlay to slapd
7
9 /etc/openldap/slapd.conf
10
12 The Access Logging overlay can be used to record all accesses to a
13 given backend database on another database. This allows all of the
14 activity on a given database to be reviewed using arbitrary LDAP
15 queries, instead of just logging to local flat text files. Configura‐
16 tion options are available for selecting a subset of operation types to
17 log, and to automatically prune older log records from the logging
18 database. Log records are stored with audit schema (see below) to
19 assure their readability whether viewed as LDIF or in raw form.
20
22 These slapd.conf options apply to the Access Logging overlay. They
23 should appear after the overlay directive.
24 logdb <suffix>
26 Specify the suffix of a database to be used for storing the log
27 records. The specified database must be defined elsewhere in
28 the configuration. The access controls on the log database
29 should prevent general access. The suffix entry of the log data‐
30 base will be created automatically by this overlay. The log
31 entries will be generated as the immediate children of the suf‐
32 fix entry.
33 logops <operations>
35 Specify which types of operations to log. The valid operation
36 types are abandon, add, bind, compare, delete, extended, modify,
37 modrdn, search, and unbind. Aliases for common sets of opera‐
38 tions are also available:
39 writes add, delete, modify, modrdn
41 reads compare, search
43 session
45 abandon, bind, unbind
46 all all operations
48 logold <filter>
50 Specify a filter for matching against Deleted and Modified
51 entries. If the entry matches the filter, the old contents of
52 the entry will be logged along with the current request.
53 logoldattr <attr> ...
55 Specify a list of attributes whose old contents are always
56 logged in Modify and ModRDN requests. Usually only the contents
57 of attributes that were actually modified will be logged; by
58 default no old attributes are logged for ModRDN requests.
59 logpurge <age> <interval>
61 Specify the maximum age for log entries to be retained in the
62 database, and how often to scan the database for old entries.
63 Both the age and interval are specified as a time span in days,
64 hours, minutes, and seconds. The time format is [ddd+]hh:mm[:ss]
65 i.e., the days and seconds components are optional but hours and
66 minutes are required. Except for days, which can be up to 5 dig‐
67 its, each numeric field must be exactly two digits. For example
68 logpurge 2+00:00 1+00:00
69 would specify that the log database should be scanned every day
70 for old entries, and entries older than two days should be
71 deleted. When using a log database that supports ordered index‐
72 ing on generalizedTime attributes, specifying an eq index on the
73 reqStart attribute will greatly benefit the performance of the
74 purge operation.
75 logsuccess TRUE | FALSE
77 If set to TRUE then log records will only be generated for suc‐
78 cessful requests, i.e., requests that produce a result code of 0
79 (LDAP_SUCCESS). If FALSE, log records are generated for all
80 requests whether they succeed or not. The default is FALSE.
81
84 database bdb
85 suffix dc=example,dc=com
86 ...
87 overlay accesslog
88 logdb cn=log
89 logops writes reads
90 logold (objectclass=person)
91 database bdb
93 suffix cn=log
94 ...
95 index reqStart eq
96 access to *
97 by dn.base="cn=admin,dc=example,dc=com" read
98
101 The accesslog overlay utilizes the "audit" schema described herein.
102 This schema is specifically designed for accesslog auditing and is not
103 intended to be used otherwise. It is also noted that the schema
104 described here is a work in progress, and hence subject to change with‐
105 out notice. The schema is loaded automatically by the overlay.
106 The schema includes a number of object classes and associated attribute
108 types as described below.
109 There is a basic auditObject class from which two additional classes,
111 auditReadObject and auditWriteObject are derived. Object classes for
112 each type of LDAP operation are further derived from these classes.
113 This object class hierarchy is designed to allow flexible yet efficient
114 searches of the log based on either a specific operation type's class,
115 or on more general classifications. The definition of the auditObject
116 class is as follows:
117 ( 1.3.6.1.4.1.4203.666.11.5.2.1
119 NAME 'auditObject'
120 DESC 'OpenLDAP request auditing'
121 SUP top STRUCTURAL
122 MUST ( reqStart $ reqType $ reqSession )
123 MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
124 reqEnd $ reqResult $ reqMessage $ reqReferral ) )
125 Note that all of the OIDs used in the logging schema currently reside
127 under the OpenLDAP Experimental branch. It is anticipated that they
128 will migrate to a Standard branch in the future.
129 An overview of the attributes follows: reqStart and reqEnd provide the
131 start and end time of the operation, respectively. They use general‐
132 izedTime syntax. The reqStart attribute is also used as the RDN for
133 each log entry.
134 The reqType attribute is a simple string containing the type of opera‐
136 tion being logged, e.g. add, delete, search, etc. For extended opera‐
137 tions, the type also includes the OID of the extended operation, e.g.
138 extended(1.1.1.1)
139 The reqSession attribute is an implementation-specific identifier that
141 is common to all the operations associated with the same LDAP session.
142 Currently this is slapd's internal connection ID, stored in decimal.
143 The reqDN attribute is the distinguishedName of the target of the oper‐
145 ation. E.g., for a Bind request, this is the Bind DN. For an Add
146 request, this is the DN of the entry being added. For a Search request,
147 this is the base DN of the search.
148 The reqAuthzID attribute is the distinguishedName of the user that per‐
150 formed the operation. This will usually be the same name as was estab‐
151 lished at the start of a session by a Bind request (if any) but may be
152 altered in various circumstances.
153 The reqControls and reqRespControls attributes carry any controls sent
155 by the client on the request and returned by the server in the
156 response, respectively. The attribute values are just uninterpreted
157 octet strings.
158 The reqResult attribute is the numeric LDAP result code of the opera‐
160 tion, indicating either success or a particular LDAP error code. An
161 error code may be accompanied by a text error message which will be
162 recorded in the reqMessage attribute.
163 The reqReferral attribute carries any referrals that were returned with
165 the result of the request.
166 Operation-specific classes are defined with additional attributes to
168 carry all of the relevant parameters associated with the operation:
169 ( 1.3.6.1.4.1.4203.666.11.5.2.4
172 NAME 'auditAbandon'
173 DESC 'Abandon operation'
174 SUP auditObject STRUCTURAL
175 MUST reqId )
176 For the Abandon operation the reqId attribute contains the message ID
178 of the request that was abandoned.
179 ( 1.3.6.1.4.1.4203.666.11.5.2.5
182 NAME 'auditAdd'
183 DESC 'Add operation'
184 SUP auditWriteObject STRUCTURAL
185 MUST reqMod )
186 The Add class inherits from the auditWriteObject class. The Add and
188 Modify classes are very similar. The reqMod attribute carries all of
189 the attributes of the original entry being added. (Or in the case of a
190 Modify operation, all of the modifications being performed.) The values
191 are formatted as
192 attribute:<+|-|=|#> [ value]
193 Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
194 and '#' for Increment. In an Add operation, all of the reqMod values
195 will have the '+' designator.
196 ( 1.3.6.1.4.1.4203.666.11.5.2.6
198 NAME 'auditBind'
199 DESC 'Bind operation'
200 SUP auditObject STRUCTURAL
201 MUST ( reqVersion $ reqMethod ) )
202 The Bind class includes the reqVersion attribute which contains the
204 LDAP protocol version specified in the Bind as well as the reqMethod
205 attribute which contains the Bind Method used in the Bind. This will be
206 the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds.
207 Note that unless configured as a global overlay, only Simple Binds
208 using DNs that reside in the current database will be logged.
209 ( 1.3.6.1.4.1.4203.666.11.5.2.7
212 NAME 'auditCompare'
213 DESC 'Compare operation'
214 SUP auditObject STRUCTURAL
215 MUST reqAssertion )
216 For the Compare operation the reqAssertion attribute carries the
218 Attribute Value Assertion used in the compare request.
219 ( 1.3.6.1.4.1.4203.666.11.5.2.8
222 NAME 'auditDelete'
223 DESC 'Delete operation'
224 SUP auditWriteObject STRUCTURAL
225 MAY reqOld )
226 The Delete operation needs no further parameters. However, the reqOld
228 attribute may optionally be used to record the contents of the entry
229 prior to its deletion. The values are formatted as
230 attribute: value
231 The reqOld attribute is only populated if the entry being deleted
232 matches the configured logold filter.
233 ( 1.3.6.1.4.1.4203.666.11.5.2.9
236 NAME 'auditModify'
237 DESC 'Modify operation'
238 SUP auditWriteObject STRUCTURAL
239 MAY reqOld MUST reqMod )
240 The Modify operation contains a description of modifications in the
242 reqMod attribute, which was already described above in the Add opera‐
243 tion. It may optionally contain the previous contents of any modified
244 attributes in the reqOld attribute, using the same format as described
245 above for the Delete operation. The reqOld attribute is only populated
246 if the entry being modified matches the configured logold filter.
247 ( 1.3.6.1.4.1.4203.666.11.5.2.10
250 NAME 'auditModRDN'
251 DESC 'ModRDN operation'
252 SUP auditWriteObject STRUCTURAL
253 MUST ( reqNewRDN $ reqDeleteOldRDN )
254 MAY ( reqNewSuperior $ reqOld ) )
255 The ModRDN class uses the reqNewRDN attribute to carry the new RDN of
257 the request. The reqDeleteOldRDN attribute is a Boolean value showing
258 TRUE if the old RDN was deleted from the entry, or FALSE if the old RDN
259 was preserved. The reqNewSuperior attribute carries the DN of the new
260 parent entry if the request specified the new parent. The reqOld
261 attribute is only populated if the entry being modified matches the
262 configured logold filter and contains attributes in the logoldattr
263 list.
264 ( 1.3.6.1.4.1.4203.666.11.5.2.11
267 NAME 'auditSearch'
268 DESC 'Search operation'
269 SUP auditReadObject STRUCTURAL
270 MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )
271 MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
272 reqTimeLimit ) )
273 For the Search class the reqScope attribute contains the scope of the
275 original search request, using the values specified for the LDAP URL
276 format. I.e. base, one, sub, or subord. The reqDerefAliases attribute
277 is one of never, finding, searching, or always, denoting how aliases
278 will be processed during the search. The reqAttrsOnly attribute is a
279 Boolean value showing TRUE if only attribute names were requested, or
280 FALSE if attributes and their values were requested. The reqFilter
281 attribute carries the filter used in the search request. The reqAttr
282 attribute lists the requested attributes if specific attributes were
283 requested. The reqEntries attribute is the integer count of how many
284 entries were returned by this search request. The reqSizeLimit and
285 reqTimeLimit attributes indicate what limits were requested on the
286 search operation.
287 ( 1.3.6.1.4.1.4203.666.11.5.2.12
290 NAME 'auditExtended'
291 DESC 'Extended operation'
292 SUP auditObject STRUCTURAL
293 MAY reqData )
294 The Extended class represents an LDAP Extended Operation. As noted
296 above, the actual OID of the operation is included in the reqType
297 attribute of the parent class. If any optional data was provided with
298 the request, it will be contained in the reqData attribute as an unin‐
299 terpreted octet string.
300
303 The Access Log implemented by this overlay may be used for a variety of
304 other tasks, e.g. as a ChangeLog for a replication mechanism, as well
305 as for security/audit logging purposes.
306
309 /etc/openldap/slapd.conf
310 default slapd configuration file
311
313 slapd.conf(5), slapd-config(5).
314
317 This module was written in 2005 by Howard Chu of Symas Corporation.
318OpenLDAP 2.4.23 2010/06/30 SLAPO-ACCESSLOG(5)