On 11/10/2010 02:12 PM, Doug Burks wrote:
Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd like to monitor for auth failures (err=49 in the sanitized log sample below). As you can see, one LDAP connection (conn=999999) creates multiple log entries. Further complicating the matter is the fact that there are two instances of the err=49 error in this LDAP connection.
Would configuring OpenLDAP to use syslog be the path of least resistance here?
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
