X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-accesslog.5;h=6db7d100234dec268c3ff4ea8cbc2717e474ea4d;hb=2bbf9804b9286def13bbe5605d93ec1f7fdef456;hp=1c2d6cfe1285d80cb9021f367349b91ee6f1e1e2;hpb=da5c3ec1f426cd1c44fee5df8142ff4f6e35245e;p=openldap diff --git a/doc/man/man5/slapo-accesslog.5 b/doc/man/man5/slapo-accesslog.5 index 1c2d6cfe12..6db7d10023 100644 --- a/doc/man/man5/slapo-accesslog.5 +++ b/doc/man/man5/slapo-accesslog.5 @@ -1,9 +1,9 @@ .TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 2005-2006 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 2005-2012 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapo-accesslog \- Access Logging overlay +slapo\-accesslog \- Access Logging overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION @@ -25,10 +25,11 @@ directive. .TP .B logdb Specify the suffix of a database to be used for storing the log records. -The specified database must have already been configured in a prior section -of the config file. The suffix entry of the log database will be created -automatically by this overlay. The log entries will be generated as the -immediate children of the suffix entry. +The specified database must be defined elsewhere in the configuration. +The access controls +on the log database should prevent general access. The suffix entry +of the log database will be created automatically by this overlay. The log +entries will be generated as the immediate children of the suffix entry. .TP .B logops Specify which types of operations to log. The valid operation types are @@ -49,11 +50,24 @@ abandon, bind, unbind all operations .RE .TP +.B logbase +Specify a set of operations that will only be logged if they occur under +a specific subtree of the database. The operation types are as above for +the +.B logops +setting, and delimited by a '|' character. +.TP .B logold Specify a filter for matching against Deleted and Modified entries. If the entry matches the filter, the old contents of the entry will be logged along with the current request. .TP +.B logoldattr ... +Specify a list of attributes whose old contents are always logged in +Modify and ModRDN requests. Usually only the contents of attributes that were +actually modified will be logged; by default no old attributes are logged +for ModRDN requests. +.TP .B logpurge Specify the maximum age for log entries to be retained in the database, and how often to scan the database for old entries. Both the @@ -88,18 +102,21 @@ succeed or not. The default is FALSE. .SH EXAMPLES .LP .nf - database bdb - suffix cn=log - \... - index reqStart eq - database bdb suffix dc=example,dc=com \... overlay accesslog logdb cn=log logops writes reads + logbase search|compare ou=testing,dc=example,dc=com logold (objectclass=person) + + database bdb + suffix cn=log + \... + index reqStart eq + access to * + by dn.base="cn=admin,dc=example,dc=com" read .fi .SH SCHEMA @@ -109,7 +126,7 @@ overlay utilizes the "audit" schema described herein. This schema is specifically designed for .B accesslog auditing and is not intended to be used otherwise. It is also -noted that the schema describe here is +noted that the schema described here is .I a work in .IR progress , and hence subject to change without notice. @@ -247,11 +264,11 @@ performed.) The values are formatted as .RS .PD 0 .TP -attribute:<+|-|=|#> [ value] +attribute:<+|\-|=|#> [ value] .RE .RE .PD -Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace, +Where '+' indicates an Add of a value, '\-' for Delete, '=' for Replace, and '#' for Increment. In an Add operation, all of the reqMod values will have the '+' designator. .P @@ -354,7 +371,7 @@ filter. DESC 'ModRDN operation' SUP auditWriteObject STRUCTURAL MUST ( reqNewRDN $ reqDeleteOldRDN ) - MAY reqNewSuperior ) + MAY ( reqNewSuperior $ reqOld ) ) .RE .P The @@ -373,6 +390,14 @@ The .B reqNewSuperior attribute carries the DN of the new parent entry if the request specified the new parent. +The +.B reqOld +attribute is only populated if the entry being modified matches the +configured +.B logold +filter and contains attributes in the +.B logoldattr +list. .LP .RS 4 @@ -458,7 +483,8 @@ as for security/audit logging purposes. ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO -.BR slapd.conf (5). +.BR slapd.conf (5), +.BR slapd\-config (5). .SH ACKNOWLEDGEMENTS .P