OpenLDAP¶
About¶
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.
Product Details¶
Vendor URL: OpenLDAP
Product Type: Identity/Access Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: OpenLDAP
Log Guide: OpenLDAP
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: OPENLDAP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action | metadata.product_event_type |
attr | additional.fields.value.string_value |
base | target.file.full_path |
conn | network.session_id |
daemon | principal.application |
deref | additional.fields.value.string_value |
dn | target.file.full_path |
err | additional.fields.value.string_value |
fd | additional.fields.value.string_value |
filter | target.process.command_line |
mech | additional.fields.value.string_value |
method | additional.fields.value.string_value |
nentries | additional.fields.value.string_value |
op | additional.fields.value.string_value |
principal_host | principal.hostname |
principal_ip | principal.ip |
principal_pid | principal.process.pid |
principal_port | principal.port |
scope | additional.fields.value.string_value |
ssf | additional.fields.value.string_value |
tag | additional.fields.value.string_value |
target_ip | target.ip |
target_port | target.port |
target_user | target.user.userid |
text | additional.fields.value.string_value |
tls_ssf | additional.fields.value.string_value |
uri | network.http.referral_url |
Product Event Types¶
action | metadata.event_type |
---|---|
ACCEPT | NETWORK_CONNECTION |
all others | STATUS_UNCATEGORIZED |
Log Sample¶
Jan 6 19:30:20 hostname1 slapd[11217]: conn=618 fd=48 ACCEPT from IP=127.0.0.1:49118 (IP=0.0.0.0:389)
Sample Parsing¶
metadata.event_timestamp = "2022-01-06T19:30:20Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "OpenLDAP"
metadata.product_event_type = "ACCEPT"
metadata.ingested_timestamp = "2022-01-06T19:30:41.899454Z"
additional.fd = "48"
principal.hostname = "hostname1"
principal.process.pid = "11217"
principal.ip = "127.0.0.1"
principal.port = 49118
principal.application = "slapd"
principal.asset.ip = "127.0.0.1"
target.ip = "0.0.0.0"
target.port = 389
target.asset.ip = "0.0.0.0"
network.session_id = "618"
Parser Alerting¶
This product currently does not have any Parser-based Alerting