[389-users] Re: SIEM Audit Data

2016-10-13 Thread Paul Robert Marino 
user authentication errors are usually recorded on the client end.

On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen  wrote:
> Im looking for ways to pull a number of audit events from 389. Such as:
>
> -User authentication success and failures.
> -Group additions, removals and changes.
> -User additions, removals and possibly changes.
>
> Details in each of these would include items such as:
>
> username
> groupname
> attribute changed
> timestamp of event
> action
>
> Sending these out via syslog formatted messages is the preferred route.
>
> I have not been able to find anything definitive in how to do this. Debug
> logs seem to lack much of this or contain far too much information making
> the prohibitive to use. They are also formatted in such a way making it
> extremely difficult to process in any practical way. For example, you would
> probably need a full LDIF interpreter to reformat them on the fly. I assume
> I either have not dug far enough or simply digging in the wrong direction.
>
> Is anyone out there doing something similar and pulling the above data into
> a SIEM? If so would you be willing to share your experience on the topic or
> point me in the right direction?
>
> Thanks!
>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] SIEM Audit Data

2016-10-13 Thread Jason Nielsen 
Im looking for ways to pull a number of audit events from 389. Such as:

-User authentication success and failures.
-Group additions, removals and changes.
-User additions, removals and possibly changes.

Details in each of these would include items such as:

username
groupname
attribute changed
timestamp of event
action

Sending these out via syslog formatted messages is the preferred route.

I have not been able to find anything definitive in how to do this. Debug
logs seem to lack much of this or contain far too much information making
the prohibitive to use. They are also formatted in such a way making it
extremely difficult to process in any practical way. For example, you would
probably need a full LDIF interpreter to reformat them on the fly. I assume
I either have not dug far enough or simply digging in the wrong direction.

Is anyone out there doing something similar and pulling the above data into
a SIEM? If so would you be willing to share your experience on the topic or
point me in the right direction?

Thanks!
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org