07. 03. 2018 Juergen Vigna Log Management, NetEye

Analyze your OpenLDAP Logs

Suppose you have an OpenLDAP Server and you want to analyze what it does.  A good way to do this is to send the logs to NetEye’s LogServer.  Some elements you will see include:

– Returned Entries! (ENTRY)

– Search Operations! (SEARCH)

– Total Connections! (BIND)

To do this you need to add a new logstash filter this way:

# BEGIN OPENLDAP LOG
filter {
  if [program] == "slapd" {
    grok {
        match => [ "message", "(?:(?:<= (?:b|m)db_%{DATA:index_error_filter_type}_candidates: \(%{WORD:index_error_attribute_name}\) not indexed)|(?:ppolicy_%{DATA:ppolicy_op}: %{DATA:ppolicy_data})|(?:connection_input: conn=%{INT:connection} deferring operation: %{DATA:deferring_op})|(?:connection_read\(%{INT:fd_number}\): no connection!)|(?:conn=%{INT:connection} (?:(?:fd=%{INT:fd_number} (?:(?:closed(?: \(connection lost\)|))|(?:ACCEPT from IP=%{IP:src_ip}\:%{INT:src_port} \(IP=%{IP:dst_ip}\:%{INT:dst_port}\))|(?:TLS established tls_ssf=%{INT:tls_ssf} ssf=%{INT:ssf})))|(?:op=%{INT:operation_number} (?:(?:(?:(?:SEARCH )|(?:))RESULT (?:tag=%{INT:tag}|oid=(?:%{DATA:oid}(?:))) err=%{INT:error_code}(?:(?: nentries=%{INT:nentries})|(?:)) text=(?:(?:%{DATA:error_text})|(?:)))|(?:%{WORD:operation_name}(?:(?: %{DATA:data})|(?:))))))))%{SPACE}$" ] remove_tag => "_grokparsefailure"
        add_tag => "openldap"
    }
    if [operation_name] == "BIND" {
      grok {
        match => [ "data", "(?:(?:(?anonymous))|(?:dn=\"%{DATA:bind_dn}\")) (?:(?:method=%{WORD:bind_method})|(?:mech=%{WORD:bind_mech} ssf=%{INT:bind_ssf}))%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "SRCH" {
      grok {
        match => [ "data", "(?:(?:base=\"%{DATA:search_base}\" scope=%{INT:search_scope} deref=%{INT:search_deref} filter=\"%{DATA:search_filter}\")|(?:attr=%{DATA:search_attr}))%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "MOD" {
      grok {
        match => [ "data", "(?:(?:dn=\"%{DATA:mod_dn}\")|(?:attr=%{DATA:mod_attr}))%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "MODRDN" {
      grok {
        match => [ "data", "dn=\"%{DATA:modrdn_dn}\"%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "ADD" {
      grok {
        match => [ "data", "dn=\"%{DATA:add_dn}\"%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "DEL" {
      grok {
        match => [ "data", "dn=\"%{DATA:del_dn}\"%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "CMP" {
      grok {
        match => [ "data", "dn=\"%{DATA:cmp_dn}\" attr=\"%{DATA:cmp_attr}\"%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [operation_name] == "EXT" {
      grok {
        match => [ "data", "oid=%{DATA:ext_oid}%{SPACE}$" ]
        remove_field => [ "data" ]
      }
    }
    if [ppolicy_op] == "bind" {
      grok {
        match => [ "ppolicy_data", "(?:(?:Entry %{DATA:ppolicy_bind_dn} has an expired password: %{INT:ppolicy_grace} grace logins)|(?:Setting warning for password expiry for %{DATA:ppolicy_bind_dn} = %{INT:ppolicy_expiration} seconds))%{SPACE}$" ]
        remove_field => [ "ppolicy_data" ]
      }
    }
  }
}
# END OPENLDAP LOG

Using this filter you can then have a Dashboard in Kibana that looks like this:

I hope you enjoy this new log feature in your LogServer.

Juergen Vigna

Juergen Vigna

NetEye Solution Architect at Würth Phoenix
I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Author

Juergen Vigna

I have over 20 years of experience in the IT branch. After first experiences in the field of software development for public transport companies, I finally decided to join the young and growing team of Würth Phoenix. Initially, I was responsible for the internal Linux/Unix infrastructure and the management of CVS software. Afterwards, my main challenge was to establish the meanwhile well-known IT System Management Solution WÜRTHPHOENIX NetEye. As a Product Manager I started building NetEye from scratch, analyzing existing open source models, extending and finally joining them into one single powerful solution. After that, my job turned into a passion: Constant developments, customer installations and support became a matter of personal. Today I use my knowledge as a NetEye Senior Consultant as well as NetEye Solution Architect at Würth Phoenix.

Latest posts by Juergen Vigna

23. 02. 2024 Log-SIEM, NetEye, Unified Monitoring
Monitoring Logs in Elasticsearch: A Practical Example
22. 12. 2023 Log-SIEM, NetEye, Unified Monitoring
SIEM: Monitor Hosts Sending Data to Elasticsearch
30. 11. 2023 Log Management, Log-SIEM, NetEye, Unified Monitoring
Monitor Your Elasticsearch Agents Registered in the Elastic Fleet Server
25. 09. 2023 Icinga Web 2, NetEye, Unified Monitoring
Monitoring Downtime Automation from Windows
28. 04. 2023 Icinga Web 2, NetEye, Unified Monitoring
Elasticsearch Snapshots and How to Monitor Them
See All

Related Content

Tags: , ,

28. 10. 2022 Log Management, Log-SIEM, NetEye

Syslog Collection with Elastic under Distributed NetEye Monitoring

Anyone who has joined the beautiful world of logging has collided, sooner or later, with the collection via syslog protocol. More than 40 years have passed since syslog was invented, and in that time there have been several attempts by Read More
21. 02. 2020 Log Management, NetEye

Tornado Use Case with Elastic

Before I tell you about one of my latest customer requirements, I would like to briefly explain what our NetEye Tornado module is. In our user guide you will see it written that Tornado is the successor to NetEye's Event Read More
25. 09. 2018 Log Management, Log-SIEM, NetEye

NetEye 4 Log Management: Rsyslog and the Elastic Stack

When you need to manage and collect large amounts of data, there can be a lot of hard tasks to do.  So we decided to take some of the best Open Source tools to help us do it in the Read More
21. 12. 2017 Log-SIEM, NetEye

GROK: Instructions for Use

Grok is a plug-in installed by default in Logstash, which is supplied with the Elastic package (the ELK - Elasticsearch, Logstash and Kibana), one of the integrated modules in our NetEye Unified Monitoring solution.   What is this plug-in for? Read More
31. 10. 2017 Log Management, Log-SIEM, NetEye

Sending Cisco Syslogs to Elasticsearch: A simple guide

Do you use Cisco's network infrastructure? Would you like to view its logs through the syslog protocol in an Elasticsearch database? Find out below about the filters and templates needed for the Logstash setup. As you probably already know, you Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive