OpenLDAP¶
About¶
OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol.
Product Details¶
Vendor URL: OpenLDAP
Product Type: Identity/Access Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: OpenLDAP
Log Guide: OpenLDAP
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: OPENLDAP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | metadata.product_event_type |
| attr | additional.fields.value.string_value |
| base | target.file.full_path |
| conn | network.session_id |
| daemon | principal.application |
| deref | additional.fields.value.string_value |
| dn | target.file.full_path |
| err | additional.fields.value.string_value |
| fd | additional.fields.value.string_value |
| filter | target.process.command_line |
| mech | additional.fields.value.string_value |
| method | additional.fields.value.string_value |
| nentries | additional.fields.value.string_value |
| op | additional.fields.value.string_value |
| principal_host | principal.hostname |
| principal_ip | principal.ip |
| principal_pid | principal.process.pid |
| principal_port | principal.port |
| scope | additional.fields.value.string_value |
| ssf | additional.fields.value.string_value |
| tag | additional.fields.value.string_value |
| target_ip | target.ip |
| target_port | target.port |
| target_user | target.user.userid |
| text | additional.fields.value.string_value |
| tls_ssf | additional.fields.value.string_value |
| uri | network.http.referral_url |
Product Event Types¶
| action | metadata.event_type |
|---|---|
| ACCEPT | NETWORK_CONNECTION |
| all others | STATUS_UNCATEGORIZED |
Log Sample¶
Jan 6 19:30:20 hostname1 slapd[11217]: conn=618 fd=48 ACCEPT from IP=127.0.0.1:49118 (IP=0.0.0.0:389)
Sample Parsing¶
metadata.event_timestamp = "2022-01-06T19:30:20Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "OpenLDAP"
metadata.product_event_type = "ACCEPT"
metadata.ingested_timestamp = "2022-01-06T19:30:41.899454Z"
additional.fd = "48"
principal.hostname = "hostname1"
principal.process.pid = "11217"
principal.ip = "127.0.0.1"
principal.port = 49118
principal.application = "slapd"
principal.asset.ip = "127.0.0.1"
target.ip = "0.0.0.0"
target.port = 389
target.asset.ip = "0.0.0.0"
network.session_id = "618"
Parser Alerting¶
This product currently does not have any Parser-based Alerting