Im looking for ways to pull a number of audit events from 389. Such as:

-User authentication success and failures.
-Group additions, removals and changes.
-User additions, removals and possibly changes.

Details in each of these would include items such as:

attribute changed
timestamp of event

Sending these out via syslog formatted messages is the preferred route.

I have not been able to find anything definitive in how to do this. Debug
logs seem to lack much of this or contain far too much information making
the prohibitive to use. They are also formatted in such a way making it
extremely difficult to process in any practical way. For example, you would
probably need a full LDIF interpreter to reformat them on the fly. I assume
I either have not dug far enough or simply digging in the wrong direction.

Is anyone out there doing something similar and pulling the above data into
a SIEM? If so would you be willing to share your experience on the topic or
point me in the right direction?

389-users mailing list --
To unsubscribe send an email to

Reply via email to