Skip to content

OpenLDAP

OpenLDAP

About

OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.

Product Details

Vendor URL: OpenLDAP

Product Type: Identity/Access Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: OpenLDAP

Log Guide: OpenLDAP

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 100%

Data Label: OPENLDAP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action metadata.product_event_type
attr additional.fields.value.string_value
base target.file.full_path
conn network.session_id
daemon principal.application
deref additional.fields.value.string_value
dn target.file.full_path
err additional.fields.value.string_value
fd additional.fields.value.string_value
filter target.process.command_line
mech additional.fields.value.string_value
method additional.fields.value.string_value
nentries additional.fields.value.string_value
op additional.fields.value.string_value
principal_host principal.hostname
principal_ip principal.ip
principal_pid principal.process.pid
principal_port principal.port
scope additional.fields.value.string_value
ssf additional.fields.value.string_value
tag additional.fields.value.string_value
target_ip target.ip
target_port target.port
target_user target.user.userid
text additional.fields.value.string_value
tls_ssf additional.fields.value.string_value
uri network.http.referral_url

Product Event Types

action metadata.event_type
ACCEPT NETWORK_CONNECTION
all others STATUS_UNCATEGORIZED

Log Sample

Jan  6 19:30:20 hostname1 slapd[11217]: conn=618 fd=48 ACCEPT from IP=127.0.0.1:49118 (IP=0.0.0.0:389)

Sample Parsing

metadata.event_timestamp = "2022-01-06T19:30:20Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "OpenLDAP"
metadata.product_event_type = "ACCEPT"
metadata.ingested_timestamp = "2022-01-06T19:30:41.899454Z"
additional.fd = "48"
principal.hostname = "hostname1"
principal.process.pid = "11217"
principal.ip = "127.0.0.1"
principal.port = 49118
principal.application = "slapd"
principal.asset.ip = "127.0.0.1"
target.ip = "0.0.0.0"
target.port = 389
target.asset.ip = "0.0.0.0"
network.session_id = "618"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon