.TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2006 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2012 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-accesslog \- Access Logging overlay
+slapo\-accesslog \- Access Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.TP
.B logdb <suffix>
Specify the suffix of a database to be used for storing the log records.
-The specified database must have already been configured in a prior section
-of the config file. The suffix entry of the log database will be created
-automatically by this overlay. The log entries will be generated as the
-immediate children of the suffix entry.
+The specified database must be defined elsewhere in the configuration.
+The access controls
+on the log database should prevent general access. The suffix entry
+of the log database will be created automatically by this overlay. The log
+entries will be generated as the immediate children of the suffix entry.
.TP
.B logops <operations>
Specify which types of operations to log. The valid operation types are
all operations
.RE
.TP
+.B logbase <operations> <baseDN>
+Specify a set of operations that will only be logged if they occur under
+a specific subtree of the database. The operation types are as above for
+the
+.B logops
+setting, and delimited by a '|' character.
+.TP
.B logold <filter>
Specify a filter for matching against Deleted and Modified entries. If
the entry matches the filter, the old contents of the entry will be
logged along with the current request.
.TP
+.B logoldattr <attr> ...
+Specify a list of attributes whose old contents are always logged in
+Modify and ModRDN requests. Usually only the contents of attributes that were
+actually modified will be logged; by default no old attributes are logged
+for ModRDN requests.
+.TP
.B logpurge <age> <interval>
Specify the maximum age for log entries to be retained in the database,
and how often to scan the database for old entries. Both the
.SH EXAMPLES
.LP
.nf
- database bdb
- suffix cn=log
- \...
- index reqStart eq
-
database bdb
suffix dc=example,dc=com
\...
overlay accesslog
logdb cn=log
logops writes reads
+ logbase search|compare ou=testing,dc=example,dc=com
logold (objectclass=person)
+
+ database bdb
+ suffix cn=log
+ \...
+ index reqStart eq
+ access to *
+ by dn.base="cn=admin,dc=example,dc=com" read
.fi
.SH SCHEMA
This schema is specifically designed for
.B accesslog
auditing and is not intended to be used otherwise. It is also
-noted that the schema describe here is
+noted that the schema described here is
.I a work in
.IR progress ,
and hence subject to change without notice.
.RS
.PD 0
.TP
-attribute:<+|-|=|#> [ value]
+attribute:<+|\-|=|#> [ value]
.RE
.RE
.PD
-Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace,
+Where '+' indicates an Add of a value, '\-' for Delete, '=' for Replace,
and '#' for Increment. In an Add operation, all of the reqMod values will
have the '+' designator.
.P
DESC 'ModRDN operation'
SUP auditWriteObject STRUCTURAL
MUST ( reqNewRDN $ reqDeleteOldRDN )
- MAY reqNewSuperior )
+ MAY ( reqNewSuperior $ reqOld ) )
.RE
.P
The
.B reqNewSuperior
attribute carries the DN of the new parent entry if the request specified
the new parent.
+The
+.B reqOld
+attribute is only populated if the entry being modified matches the
+configured
+.B logold
+filter and contains attributes in the
+.B logoldattr
+list.
.LP
.RS 4
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
-.BR slapd.conf (5).
+.BR slapd.conf (5),
+.BR slapd\-config (5).
.SH ACKNOWLEDGEMENTS
.P