1 .TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2005 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapo-accesslog \- Access Logging overlay
10 The Access Logging overlay can be used to record all accesses to a given
11 backend database on another database. This allows all of the activity on
12 a given database to be reviewed using arbitrary LDAP queries, instead of
13 just logging to local flat text files. Configuration options are available
14 for selecting a subset of operation types to log, and to automatically
15 prune older log records from the logging database. Log records are stored
16 with a custom schema to assure their readability whether viewed as LDIF
21 options apply to the Access Logging overlay.
22 They should appear after the
24 directive and before any subsequent
29 Specify the suffix of a database to be used for storing the log records.
30 The specified database must have already been configured in a prior section
31 of the config file. The suffix entry of the database must also already
32 exist. The log entries will be generated as the immediate children of the
35 .B logops <operations>
36 Specify which types of operations to log. The valid operation types are
37 abandon, add, bind, compare, delete, extended, modify, modrdn, search,
38 and unbind. Aliases for common sets of operations are also available:
42 add, delete, modify, modrdn
54 .B logpurge <age> <interval>
55 Specify the maximum age for log entries to be retained in the database,
56 and how often to scan the database for old entries. Both the
60 are specified as a time span in days, hours, minutes, and seconds. The
61 time format is [ddd+]hh:mm[:ss] i.e., the days and seconds components are
62 optional but hours and minutes are required. Except for days, which can
63 be up to 5 digits, each numeric field must be exactly two digits. For example
68 logpurge 2+00:00 1+00:00
71 would specify that the log database should be scanned every day for old
72 entries, and entries older than two days should be deleted. When using a
73 log database that supports ordered indexing on generalizedTime attributes,
74 specifying an eq index on the
76 attribute will greatly benefit the performance of the purge operation.
87 suffix dc=example,dc=com
97 overlay defines a number of object classes for use in the logs. There is
100 class from which two additional classes,
104 are derived. Object classes for each type of LDAP operation are further
105 derived from these classes. This object class hierarchy is designed to
106 allow flexible yet efficient searches of the log based on either a specific
107 operation type's class, or on more general classifications. The definition
113 ( 1.3.6.1.4.1.4203.666.11.5.2.1
115 DESC 'OpenLDAP request auditing'
117 MUST ( reqStart $ reqType $ reqSession )
118 MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
119 reqEnd $ reqResult $ reqMessage ) )
122 Note that all of the OIDs used in the logging schema currently reside
123 under the OpenLDAP Experimental branch. It is anticipated that they
124 will migrate to a Standard branch in the future.
126 An overview of the attributes follows:
130 provide the start and end time of the operation, respectively. They use
131 generalizedTime syntax. The
133 attribute is also used as the RDN for each log entry.
137 attribute is a simple string containing the type of operation
142 etc. For extended operations, the type also includes the OID of the
143 extended operation, e.g.
144 .B extended(1.2.3.4.1)
148 attribute is an implementation-specific identifier that is common to
149 all the operations associated with the same LDAP session. Currently this
150 is slapd's internal connection ID, stored in decimal.
154 attribute is the distinguishedName of the target of the operation. E.g., for
155 a Bind request, this is the Bind DN. For an Add request, this is the DN
156 of the entry being added. For a Search request, this is the base DN of
161 attribute is the distinguishedName of the user that performed the operation.
162 This will usually be the same name as was established at the start of a
163 session by a Bind request (if any) but may be altered in various
170 attributes carry any controls sent by the client on the request and returned
171 by the server in the response, respectively. The attribute values are just
172 uninterpreted octet strings.
176 attribute is the numeric LDAP result code of the operation, indicating
177 either success or a particular LDAP error code. An error code may be
178 accompanied by a text error message which will be recorded in the
182 Operation-specific classes are defined with additional attributes to carry
183 all of the relevant parameters associated with the operation:
187 ( 1.3.6.1.4.1.4203.666.11.5.2.4
189 DESC 'Abandon operation'
190 SUP auditObject STRUCTURAL
198 attribute contains the message ID of the request that was abandoned.
202 ( 1.3.6.1.4.1.4203.666.11.5.2.5
205 SUP auditWriteObject STRUCTURAL
211 class inherits from the
213 class. The Add and Modify classes are essentially the same. The
215 attribute carries all of the attributes of the original entry being added.
216 (Or in the case of a Modify operation, all of the modifications being
217 performed.) The values are formatted as
222 attribute:<+|-|=|#> [ value]
225 Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
226 and '#' for Increment. In an Add operation, all of the reqMod values will
227 have the '+' designator.
233 ( 1.3.6.1.4.1.4203.666.11.5.2.6
235 DESC 'Bind operation'
236 SUP auditObject STRUCTURAL
244 attribute which contains the Bind Method used in the Bind. This will be
247 for LDAP Simple Binds or
250 Note that unless configured as a global overlay, only Simple Binds using
251 DNs that reside in the current database will be logged.
255 ( 1.3.6.1.4.1.4203.666.11.5.2.7
257 DESC 'Compare operation'
258 SUP auditObject STRUCTURAL
266 attribute carries the Attribute Value Assertion used in the compare request.
270 ( 1.3.6.1.4.1.4203.666.11.5.2.8
272 DESC 'Modify operation'
273 SUP auditWriteObject STRUCTURAL
279 operation has already been described.
283 ( 1.3.6.1.4.1.4203.666.11.5.2.9
285 DESC 'ModRDN operation'
286 SUP auditWriteObject STRUCTURAL
287 MUST ( reqNewRDN $ reqDeleteOldRDN )
295 attribute to carry the new RDN of the request.
298 attribute is a Boolean value showing
300 if the old RDN was deleted from the entry, or
302 if the old RDN was preserved.
305 attribute carries the DN of the new parent entry if the request specified
310 ( 1.3.6.1.4.1.4203.666.11.5.2.10
312 DESC 'Search operation'
313 SUP auditReadObject STRUCTURAL
314 MUST ( reqScope $ reqAttrsOnly )
315 MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
323 attribute contains the scope of the original search request, i.e.
331 attribute is a Boolean value showing
333 if only attribute names were requested, or
335 if attributes and their values were requested.
338 attribute carries the filter used in the search request.
341 attribute lists the requested attributes if specific attributes were
345 attribute is the integer count of how many entries were returned by
351 attributes indicate what limits were requested on the search operation.
355 ( 1.3.6.1.4.1.4203.666.11.5.2.11
357 DESC 'Extended operation'
358 SUP auditObject STRUCTURAL
364 class represents an LDAP Extended Operation. As noted above, the actual OID of
365 the operation is included in the
367 attribute of the parent class. If any optional data was provided with the
368 request, it will be contained in the
370 attribute as an uninterpreted octet string.
373 The Access Log implemented by this overlay may be used for a variety of
374 other tasks, e.g. as a ChangeLog for a replication mechanism, as well
375 as for security/audit logging purposes.
380 default slapd configuration file
386 This module was written in 2005 by Howard Chu of Symas Corporation.