1 .TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2005-2017 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapo\-accesslog \- Access Logging overlay to slapd
10 The Access Logging overlay can be used to record all accesses to a given
11 backend database on another database. This allows all of the activity on
12 a given database to be reviewed using arbitrary LDAP queries, instead of
13 just logging to local flat text files. Configuration options are available
14 for selecting a subset of operation types to log, and to automatically
15 prune older log records from the logging database. Log records are stored
16 with audit schema (see below) to assure their readability whether viewed
17 as LDIF or in raw form.
21 options apply to the Access Logging overlay.
22 They should appear after the
27 Specify the suffix of a database to be used for storing the log records.
28 The specified database must be defined elsewhere in the configuration.
30 on the log database should prevent general access. The suffix entry
31 of the log database will be created automatically by this overlay. The log
32 entries will be generated as the immediate children of the suffix entry.
34 .B logops <operations>
35 Specify which types of operations to log. The valid operation types are
36 abandon, add, bind, compare, delete, extended, modify, modrdn, search,
37 and unbind. Aliases for common sets of operations are also available:
41 add, delete, modify, modrdn
53 .B logbase <operations> <baseDN>
54 Specify a set of operations that will only be logged if they occur under
55 a specific subtree of the database. The operation types are as above for
58 setting, and delimited by a '|' character.
61 Specify a filter for matching against Deleted and Modified entries. If
62 the entry matches the filter, the old contents of the entry will be
63 logged along with the current request.
65 .B logoldattr <attr> ...
66 Specify a list of attributes whose old contents are always logged in
67 Modify and ModRDN requests. Usually only the contents of attributes that were
68 actually modified will be logged; by default no old attributes are logged
71 .B logpurge <age> <interval>
72 Specify the maximum age for log entries to be retained in the database,
73 and how often to scan the database for old entries. Both the
77 are specified as a time span in days, hours, minutes, and seconds. The
78 time format is [ddd+]hh:mm[:ss] i.e., the days and seconds components are
79 optional but hours and minutes are required. Except for days, which can
80 be up to 5 digits, each numeric field must be exactly two digits. For example
85 logpurge 2+00:00 1+00:00
88 would specify that the log database should be scanned every day for old
89 entries, and entries older than two days should be deleted. When using a
90 log database that supports ordered indexing on generalizedTime attributes,
91 specifying an eq index on the
93 attribute will greatly benefit the performance of the purge operation.
96 .B logsuccess TRUE | FALSE
97 If set to TRUE then log records will only be generated for successful
98 requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS).
99 If FALSE, log records are generated for all requests whether they
100 succeed or not. The default is FALSE.
106 suffix dc=example,dc=com
111 logbase search|compare ou=testing,dc=example,dc=com
112 logold (objectclass=person)
119 by dn.base="cn=admin,dc=example,dc=com" read
125 overlay utilizes the "audit" schema described herein.
126 This schema is specifically designed for
128 auditing and is not intended to be used otherwise. It is also
129 noted that the schema described here is
132 and hence subject to change without notice.
133 The schema is loaded automatically by the overlay.
135 The schema includes a number of object classes and associated
136 attribute types as described below.
141 class from which two additional classes,
145 are derived. Object classes for each type of LDAP operation are further
146 derived from these classes. This object class hierarchy is designed to
147 allow flexible yet efficient searches of the log based on either a specific
148 operation type's class, or on more general classifications. The definition
154 ( 1.3.6.1.4.1.4203.666.11.5.2.1
156 DESC 'OpenLDAP request auditing'
158 MUST ( reqStart $ reqType $ reqSession )
159 MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
160 reqEnd $ reqResult $ reqMessage $ reqReferral $ reqEntryUUID ) )
163 Note that all of the OIDs used in the logging schema currently reside
164 under the OpenLDAP Experimental branch. It is anticipated that they
165 will migrate to a Standard branch in the future.
167 An overview of the attributes follows:
171 provide the start and end time of the operation, respectively. They use
172 generalizedTime syntax. The
174 attribute is also used as the RDN for each log entry.
178 attribute is a simple string containing the type of operation
183 etc. For extended operations, the type also includes the OID of the
184 extended operation, e.g.
189 attribute is an implementation-specific identifier that is common to
190 all the operations associated with the same LDAP session. Currently this
191 is slapd's internal connection ID, stored in decimal.
195 attribute is the distinguishedName of the target of the operation. E.g., for
196 a Bind request, this is the Bind DN. For an Add request, this is the DN
197 of the entry being added. For a Search request, this is the base DN of
202 attribute is the distinguishedName of the user that performed the operation.
203 This will usually be the same name as was established at the start of a
204 session by a Bind request (if any) but may be altered in various
211 attributes carry any controls sent by the client on the request and returned
212 by the server in the response, respectively. The attribute values are just
213 uninterpreted octet strings.
217 attribute is the numeric LDAP result code of the operation, indicating
218 either success or a particular LDAP error code. An error code may be
219 accompanied by a text error message which will be recorded in the
225 attribute carries any referrals that were returned with the result of the
230 attribute records the entryUUID attribute of the entry operated on, for an Add
231 request, this is the entryUUID of the newly created entry.
233 Operation-specific classes are defined with additional attributes to carry
234 all of the relevant parameters associated with the operation:
238 ( 1.3.6.1.4.1.4203.666.11.5.2.4
240 DESC 'Abandon operation'
241 SUP auditObject STRUCTURAL
249 attribute contains the message ID of the request that was abandoned.
253 ( 1.3.6.1.4.1.4203.666.11.5.2.5
256 SUP auditWriteObject STRUCTURAL
262 class inherits from the
264 class. The Add and Modify classes are very similar. The
266 attribute carries all of the attributes of the original entry being added.
267 (Or in the case of a Modify operation, all of the modifications being
268 performed.) The values are formatted as
272 attribute:<+|\-|=|#> [ value]
276 Where '+' indicates an Add of a value, '\-' for Delete, '=' for Replace,
277 and '#' for Increment. In an Add operation, all of the reqMod values will
278 have the '+' designator.
282 ( 1.3.6.1.4.1.4203.666.11.5.2.6
284 DESC 'Bind operation'
285 SUP auditObject STRUCTURAL
286 MUST ( reqVersion $ reqMethod ) )
293 attribute which contains the LDAP protocol version specified in the Bind
296 attribute which contains the Bind Method used in the Bind. This will be
299 for LDAP Simple Binds or
302 Note that unless configured as a global overlay, only Simple Binds using
303 DNs that reside in the current database will be logged.
307 ( 1.3.6.1.4.1.4203.666.11.5.2.7
309 DESC 'Compare operation'
310 SUP auditObject STRUCTURAL
318 attribute carries the Attribute Value Assertion used in the compare request.
322 ( 1.3.6.1.4.1.4203.666.11.5.2.8
324 DESC 'Delete operation'
325 SUP auditWriteObject STRUCTURAL
331 operation needs no further parameters. However, the
333 attribute may optionally be used to record the contents of the entry prior
334 to its deletion. The values are formatted as
343 attribute is only populated if the entry being deleted matches the
350 ( 1.3.6.1.4.1.4203.666.11.5.2.9
352 DESC 'Modify operation'
353 SUP auditWriteObject STRUCTURAL
354 MAY reqOld MUST reqMod )
359 operation contains a description of modifications in the
361 attribute, which was already described above in the Add operation. It may
362 optionally contain the previous contents of any modified attributes in the
364 attribute, using the same format as described above for the Delete operation.
367 attribute is only populated if the entry being modified matches the
374 ( 1.3.6.1.4.1.4203.666.11.5.2.10
376 DESC 'ModRDN operation'
377 SUP auditWriteObject STRUCTURAL
378 MUST ( reqNewRDN $ reqDeleteOldRDN )
379 MAY ( reqNewSuperior $ reqOld ) )
386 attribute to carry the new RDN of the request.
389 attribute is a Boolean value showing
391 if the old RDN was deleted from the entry, or
393 if the old RDN was preserved.
396 attribute carries the DN of the new parent entry if the request specified
400 attribute is only populated if the entry being modified matches the
403 filter and contains attributes in the
409 ( 1.3.6.1.4.1.4203.666.11.5.2.11
411 DESC 'Search operation'
412 SUP auditReadObject STRUCTURAL
413 MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )
414 MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
422 attribute contains the scope of the original search request, using the
423 values specified for the LDAP URL format. I.e.
437 denoting how aliases will be processed during the search.
440 attribute is a Boolean value showing
442 if only attribute names were requested, or
444 if attributes and their values were requested.
447 attribute carries the filter used in the search request.
450 attribute lists the requested attributes if specific attributes were
454 attribute is the integer count of how many entries were returned by
460 attributes indicate what limits were requested on the search operation.
464 ( 1.3.6.1.4.1.4203.666.11.5.2.12
466 DESC 'Extended operation'
467 SUP auditObject STRUCTURAL
473 class represents an LDAP Extended Operation. As noted above, the actual OID of
474 the operation is included in the
476 attribute of the parent class. If any optional data was provided with the
477 request, it will be contained in the
479 attribute as an uninterpreted octet string.
482 The Access Log implemented by this overlay may be used for a variety of
483 other tasks, e.g. as a ChangeLog for a replication mechanism, as well
484 as for security/audit logging purposes.
489 default slapd configuration file
492 .BR slapd\-config (5).
496 This module was written in 2005 by Howard Chu of Symas Corporation.