1 .TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 2005-2006 The OpenLDAP Foundation All Rights Reserved.
3 .\" Copying restrictions apply. See COPYRIGHT/LICENSE.
6 slapo-accesslog \- Access Logging overlay
10 The Access Logging overlay can be used to record all accesses to a given
11 backend database on another database. This allows all of the activity on
12 a given database to be reviewed using arbitrary LDAP queries, instead of
13 just logging to local flat text files. Configuration options are available
14 for selecting a subset of operation types to log, and to automatically
15 prune older log records from the logging database. Log records are stored
16 with audit schema (see below) to assure their readability whether viewed
17 as LDIF or in raw form.
21 options apply to the Access Logging overlay.
22 They should appear after the
27 Specify the suffix of a database to be used for storing the log records.
28 The specified database must have already been configured in a prior section
29 of the config file. The suffix entry of the log database will be created
30 automatically by this overlay. The log entries will be generated as the
31 immediate children of the suffix entry.
33 .B logops <operations>
34 Specify which types of operations to log. The valid operation types are
35 abandon, add, bind, compare, delete, extended, modify, modrdn, search,
36 and unbind. Aliases for common sets of operations are also available:
40 add, delete, modify, modrdn
52 .B logpurge <age> <interval>
53 Specify the maximum age for log entries to be retained in the database,
54 and how often to scan the database for old entries. Both the
58 are specified as a time span in days, hours, minutes, and seconds. The
59 time format is [ddd+]hh:mm[:ss] i.e., the days and seconds components are
60 optional but hours and minutes are required. Except for days, which can
61 be up to 5 digits, each numeric field must be exactly two digits. For example
66 logpurge 2+00:00 1+00:00
69 would specify that the log database should be scanned every day for old
70 entries, and entries older than two days should be deleted. When using a
71 log database that supports ordered indexing on generalizedTime attributes,
72 specifying an eq index on the
74 attribute will greatly benefit the performance of the purge operation.
77 .B logsuccess TRUE | FALSE
78 If set to TRUE then log records will only be generated for successful
79 requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS).
80 If FALSE, log records are generated for all requests whether they
81 succeed or not. The default is FALSE.
92 suffix dc=example,dc=com
102 overlay utilizes the "audit" schema described herein.
103 This schema is specifically designed for
105 auditing and is not intended to be used otherwise. It is also
106 noted that the schema describe here is
109 and hence subject to change without notice.
110 The schema is loaded automatically by the overlay.
112 The schema includes a number of object classes and associated
113 attribute types as described below.
118 class from which two additional classes,
122 are derived. Object classes for each type of LDAP operation are further
123 derived from these classes. This object class hierarchy is designed to
124 allow flexible yet efficient searches of the log based on either a specific
125 operation type's class, or on more general classifications. The definition
131 ( 1.3.6.1.4.1.4203.666.11.5.2.1
133 DESC 'OpenLDAP request auditing'
135 MUST ( reqStart $ reqType $ reqSession )
136 MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
137 reqEnd $ reqResult $ reqMessage $ reqReferral ) )
140 Note that all of the OIDs used in the logging schema currently reside
141 under the OpenLDAP Experimental branch. It is anticipated that they
142 will migrate to a Standard branch in the future.
144 An overview of the attributes follows:
148 provide the start and end time of the operation, respectively. They use
149 generalizedTime syntax. The
151 attribute is also used as the RDN for each log entry.
155 attribute is a simple string containing the type of operation
160 etc. For extended operations, the type also includes the OID of the
161 extended operation, e.g.
166 attribute is an implementation-specific identifier that is common to
167 all the operations associated with the same LDAP session. Currently this
168 is slapd's internal connection ID, stored in decimal.
172 attribute is the distinguishedName of the target of the operation. E.g., for
173 a Bind request, this is the Bind DN. For an Add request, this is the DN
174 of the entry being added. For a Search request, this is the base DN of
179 attribute is the distinguishedName of the user that performed the operation.
180 This will usually be the same name as was established at the start of a
181 session by a Bind request (if any) but may be altered in various
188 attributes carry any controls sent by the client on the request and returned
189 by the server in the response, respectively. The attribute values are just
190 uninterpreted octet strings.
194 attribute is the numeric LDAP result code of the operation, indicating
195 either success or a particular LDAP error code. An error code may be
196 accompanied by a text error message which will be recorded in the
202 attribute carries any referrals that were returned with the result of the
205 Operation-specific classes are defined with additional attributes to carry
206 all of the relevant parameters associated with the operation:
210 ( 1.3.6.1.4.1.4203.666.11.5.2.4
212 DESC 'Abandon operation'
213 SUP auditObject STRUCTURAL
221 attribute contains the message ID of the request that was abandoned.
225 ( 1.3.6.1.4.1.4203.666.11.5.2.5
228 SUP auditWriteObject STRUCTURAL
234 class inherits from the
236 class. The Add and Modify classes are very similar. The
238 attribute carries all of the attributes of the original entry being added.
239 (Or in the case of a Modify operation, all of the modifications being
240 performed.) The values are formatted as
244 attribute:<+|-|=|#> [ value]
248 Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
249 and '#' for Increment. In an Add operation, all of the reqMod values will
250 have the '+' designator.
254 ( 1.3.6.1.4.1.4203.666.11.5.2.6
256 DESC 'Bind operation'
257 SUP auditObject STRUCTURAL
258 MUST ( reqVersion $ reqMethod ) )
265 attribute which contains the LDAP protocol version specified in the Bind
268 attribute which contains the Bind Method used in the Bind. This will be
271 for LDAP Simple Binds or
274 Note that unless configured as a global overlay, only Simple Binds using
275 DNs that reside in the current database will be logged.
279 ( 1.3.6.1.4.1.4203.666.11.5.2.7
281 DESC 'Compare operation'
282 SUP auditObject STRUCTURAL
290 attribute carries the Attribute Value Assertion used in the compare request.
294 ( 1.3.6.1.4.1.4203.666.11.5.2.8
296 DESC 'Delete operation'
297 SUP auditWriteObject STRUCTURAL
303 operation needs no further parameters. However, the
305 attribute may optionally be used to record the contents of the entry prior
306 to its deletion. The values are formatted as
313 This option is not yet implemented.
317 ( 1.3.6.1.4.1.4203.666.11.5.2.9
319 DESC 'Modify operation'
320 SUP auditWriteObject STRUCTURAL
321 MAY reqOld MUST reqMod )
326 operation contains a description of modifications in the
328 attribute, which was already described above in the Add operation. It may
329 optionally contain the previous contents of any modified attributes in the
331 attribute, using the same format as described above for the Delete operation.
332 This option is not yet implemented.
336 ( 1.3.6.1.4.1.4203.666.11.5.2.10
338 DESC 'ModRDN operation'
339 SUP auditWriteObject STRUCTURAL
340 MUST ( reqNewRDN $ reqDeleteOldRDN )
348 attribute to carry the new RDN of the request.
351 attribute is a Boolean value showing
353 if the old RDN was deleted from the entry, or
355 if the old RDN was preserved.
358 attribute carries the DN of the new parent entry if the request specified
363 ( 1.3.6.1.4.1.4203.666.11.5.2.11
365 DESC 'Search operation'
366 SUP auditReadObject STRUCTURAL
367 MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )
368 MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
376 attribute contains the scope of the original search request, using the
377 values specified for the LDAP URL format. I.e.
391 denoting how aliases will be processed during the search.
394 attribute is a Boolean value showing
396 if only attribute names were requested, or
398 if attributes and their values were requested.
401 attribute carries the filter used in the search request.
404 attribute lists the requested attributes if specific attributes were
408 attribute is the integer count of how many entries were returned by
414 attributes indicate what limits were requested on the search operation.
418 ( 1.3.6.1.4.1.4203.666.11.5.2.12
420 DESC 'Extended operation'
421 SUP auditObject STRUCTURAL
427 class represents an LDAP Extended Operation. As noted above, the actual OID of
428 the operation is included in the
430 attribute of the parent class. If any optional data was provided with the
431 request, it will be contained in the
433 attribute as an uninterpreted octet string.
436 The Access Log implemented by this overlay may be used for a variety of
437 other tasks, e.g. as a ChangeLog for a replication mechanism, as well
438 as for security/audit logging purposes.
443 default slapd configuration file
449 This module was written in 2005 by Howard Chu of Symas Corporation.