Have you looked at the audit logs ? Use the below ldif to enable them.
dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on This will write to 'audit' file in the same dir as 'access' and 'errors' log file. On 14 October 2016 at 02:20, Paul Robert Marino <prmari...@gmail.com> wrote: > user authentication errors are usually recorded on the client end. > > On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen <hib0...@gmail.com> wrote: > > Im looking for ways to pull a number of audit events from 389. Such as: > > > > -User authentication success and failures. > > -Group additions, removals and changes. > > -User additions, removals and possibly changes. > > > > Details in each of these would include items such as: > > > > username > > groupname > > attribute changed > > timestamp of event > > action > > > > Sending these out via syslog formatted messages is the preferred route. > > > > I have not been able to find anything definitive in how to do this. Debug > > logs seem to lack much of this or contain far too much information making > > the prohibitive to use. They are also formatted in such a way making it > > extremely difficult to process in any practical way. For example, you > would > > probably need a full LDIF interpreter to reformat them on the fly. I > assume > > I either have not dug far enough or simply digging in the wrong > direction. > > > > Is anyone out there doing something similar and pulling the above data > into > > a SIEM? If so would you be willing to share your experience on the topic > or > > point me in the right direction? > > > > Thanks! > > > > _______________________________________________ > > 389-users mailing list -- 389-users@lists.fedoraproject.org > > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
