[389-users] Re: SIEM Audit Data

Have you looked at the audit logs ? Use the below ldif to enable them. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on This will write to 'audit' file in the same dir as 'access' and 'errors' log file. On 14 October 2016 at 02:20,

[389-users] Re: SIEM Audit Data

user authentication errors are usually recorded on the client end. On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen wrote: > Im looking for ways to pull a number of audit events from 389. Such as: > > -User authentication success and failures. > -Group additions, removals and