How filter OpenLDAP Logs?


#1

Hi,

Attempting to parse LDAP access logs (sample below):

  • required to be able to find transactions by 'conn' (to relate the IP Address to a BIND) for example.

Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 fd=28 ACCEPT from IP=1.2.3.4:57632 (IP=0.0.0.0:389)
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=0 BIND dn="cn=User,c=corp" method=128
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=0 BIND dn="cn=User,c=corp" mech=SIMPLE ssf=0
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=0 RESULT tag=97 err=0 text=
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=1 SRCH base="c=fr" scope=0 deref=2 filter="(objectClass=*)"
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=1 SRCH attr=contextCSN
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 11 09:53:08 ldapserver slapd[19329]: conn=1202229 fd=28 closed (connection lost)

Any tips on how to get this going?


Custom filter Grok syntax help
(Magnus B├Ąck) #2

It looks like a syslog file so you should be able to use one of the standard patterns for that, and then you can just continue with the rest of what you want to match. You'll probably want one pattern per type of log entry. The grok filter will try them one by one and pick the first match. Untested but should get you started:

filter {
  grok {
    match => {
      "message" => [
        "%{SYSLOGBASE} conn=%{INT:conn} fd=%{INT:fd} ACCEPT from IP=%{IP:client_ip}:%{INT:client_port} (IP=%{IP:local_ip}:%{INT:local_port})",
        "%{SYSLOGBASE} conn=%{INT:conn} op=%{INT:op} BIND ...",
        ...
      ]
    }
  }
}

For some of these messages you could save some grok-writing effort by using the kv filter (since they're space-separated lists of key=value tokens), but then you'd have to extract that part of the message into a separate field and run that field through kv, which might be more work than necessary.


#3

Thanks B.

I'll try that.


(system) #4