SlideShare une entreprise Scribd logo

Analyse OpenLDAP logs with ELK

Clément OUDOT
Clément OUDOT

Some inputs to use ElasticSearch, Logstash and Kibana to parse OpenLDAP logs

Technologie
1  sur  34
Télécharger pour lire hors ligne
Analyse logs with ElasticSearch, Logstash and Kibana
2 Clément OUDOT @clementoudot ● Founded in 1999 ● >100 persons ● Montréal, Quebec City, Ottawa, Paris ● ISO 9001:2004 / ISO 14001:2008 ● contact@savoirfairelinux.com
3 Summary 11 22 33 The ELK stack Format of OpenLDAP logs OpenLDAP with ELK
4 The ELK Stack11
5 ELASTICSEARCH LOGTASH KIBANA
6 Elasticsearch ● Written in Java ● License Apache 2.0 ● Based on Lucene ● JSON ● REST ● Distributed ● Index and fields
7 clement@ader-sfl:~$ curl http://localhost:9200 { "status" : 200, "name" : "Mahkizmo", "cluster_name" : "elasticsearch", "version" : { "number" : "1.6.0", "build_hash" : "cdd3ac4dde4f69524ec0a14de3828cb95bbb86d0", "build_timestamp" : "2015-06-09T13:36:34Z", "build_snapshot" : false, "lucene_version" : "4.10.4" }, "tagline" : "You Know, for Search" }
8https://mobz.github.io/elasticsearch-head/
9 Logstash ● JRuby ● License Apache 2.0 ● Multiple inputs (file, syslog, ...) ● Multiple outputs (console, redis, elasticsearch, …) ● Filters
10 root@ader-sfl:~# /opt/logstash/bin/logstash -e 'input { stdin { } } output { stdout { codec => rubydebug } }' Logstash startup completed RMLL 2015 { "message" => "RMLL 2015", "@version" => "1", "@timestamp" => "2015-07-02T08:29:09.363Z", "host" => "ader-sfl" }
11 Grok ● Grok allows to parse message and store content in fields ● Grok comes with standard patterns (Syslog, Apache, …) ● You can also define you own patterns ● Grok debugger: http://grokdebug.herokuapp.com/
12 Example of grok patterns # Log formats SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?% {SYSLOGHOST:logsource} %{SYSLOGPROG}: COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" % {NUMBER:response} (?:%{NUMBER:bytes}|-) COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
13 Using grok in logstash input { file { path => "/var/log/http.log" } } filter { grok { match => { "message" => "%{IP:client} %{WORD:method} % {URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } 55.3.244.1 GET /index.html 15824 0.043
14 Kibana ● Javascript ● License Apache 2.0 ● Connect to elasticsearch ● Lucene queries ● On the fly graphics
15
16 Working together
17 Format of OpenLDAP logs22
18 Logging in OpenLDAP ● Relies on syslog ● Log levels are cumulative ● Log level is configured in olcLogLevel parameter in cn=config dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: stats
19 Level Keyword Description -1 any enable all debugging 0   no debugging 1 (0x1 trace) trace function calls 2 (0x2 packets) debug packet handling 4 (0x4 args) heavy trace debugging 8 (0x8 conns) connection management 16 (0x10 BER) print out packets sent and received 32 (0x20 filter) search filter processing 64 (0x40 config) configuration processing 128 (0x80 ACL) access control list processing 256 (0x100 stats) stats log connections/operations/results 512 (0x200 stats2) stats log entries sent 1024 (0x400 shell) print communication with shell backends 2048 (0x800 parse) print entry parsing debugging 16384 (0x4000 sync) syncrepl consumer processing 32768 (0x8000 none) only messages that get logged whatever log level is set
20 Information in the “stats” loglevel ● Connections (opening, closing, TLS, ...) ● Operations and results ● Errors and warnings: – Missing index – Connection lost – Password policy messages – ...
21 Connections Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162707 fd=12 ACCEPT from IP=127.0.0.1:44678 (IP=0.0.0.0:389) ... Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162707 fd=12 closed
22 Operation: BIND and UNBIND Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 BIND dn="cn=admin,dc=example,dc=com" method=128 Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 RESULT tag=97 err=0 text= Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162708 op=7 UNBIND
23 Operation: SEARCH Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SRCH base="ou=users,dc=example,dc=com" scope=1 deref=0 filter="(objectClass=*)" Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SRCH attr=uid Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SEARCH RESULT tag=101 err=0 nentries=50 text=
24 Operation: MODIFY Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 MOD dn="uid=user1,ou=users,dc=example,dc=com" Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 MOD attr=userPassword Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 RESULT tag=103 err=0 text=
25 Errors and warnings Jul 1 17:18:48 ader-sfl slapd[1377]: conn=162711 fd=12 closed (connection lost) Jul 1 09:28:40 ader-sfl slapd[1377]: connection_input: conn=93309 deferring operation: binding Jul 2 08:41:02 ader-sfl slapd[1377]: <= mdb_equality_candidates: (objectClass) not indexed Jul 1 16:23:46 ader-sfl slapd[1377]: ppolicy_bind: Setting warning for password expiry for uid=user1,ou=users,dc=example,dc=com = 589 seconds
26 Logfile alternatives ● Overlay accesslog : log events in an LDAP backend ● Overlay auditlog : log events in an LDIF file
27 OpenLDAP with ELK33
28 Configure logstash ● Input: – OpenLDAP logfile – Syslog ● Filters: – Syslog Grok pattern – Date – OpenLDAP specific log patterns ● Output: elasticsearch
29 Main grok pattern %{SYSLOGBASE} (?:(?:<= (?:b|m)db_% {DATA:index_error_filter_type}_candidates: (% {WORD:index_error_attribute_name}) not indexed)|(?:ppolicy_% {DATA:ppolicy_op}: %{DATA:ppolicy_data})|(?:connection_input: conn=% {INT:connection} deferring operation: %{DATA:deferring_op})| (?:connection_read(%{INT:fd_number}): no connection!)|(?:conn=% {INT:connection} (?:(?:fd=%{INT:fd_number} (?:(?:closed(?: (connection lost)|))|(?:ACCEPT from IP=%{IP:src_ip}:%{INT:src_port} (IP=% {IP:dst_ip}:%{INT:dst_port}))|(?:TLS established tls_ssf=% {INT:tls_ssf} ssf=%{INT:ssf})))|(?:op=%{INT:operation_number} (?:(?:(?: (?:SEARCH )|(?:))RESULT (?:tag=%{INT:tag}|oid=(?:%{DATA:oid}(?:))) err=% {INT:error_code}(?:(?: nentries=%{INT:nentries})|(?:)) text=(?:(?:% {DATA:error_text})|(?:)))|(?:%{WORD:operation_name}(?:(?: %{DATA:data})| (?:))))))))%{SPACE}$
30 Conditional grok pattern if [operation_name] == "SRCH" { grok { match => [ "data", "(?:(?:base="%{DATA:search_base}" scope=% {INT:search_scope} deref=%{INT:search_deref} filter="% {DATA:search_filter}")|(?:attr=%{DATA:search_attr}))%{SPACE}$" ] } } if [operation_name] == "ADD" { grok { match => [ "data", "dn="%{DATA:add_dn}"%{SPACE}$" ] } }
31 Display data in Kibana ● Access to all logged messages ● Query data, for example: – Follow a connection: connection=162738 – Find missing index: _exists_:index_error_attribute_name ● Create dashboards, for example: – LDAP operations – LDAP error codes
32
33 Use and improve! https://github.com/coudot/openldap-elk
34 Seems all clear Any question?

Recommandé

MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016
Wagner Bianchi
 
Flintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Flintrock: A Faster, Better spark-ec2 by Nicholas ChammasFlintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Flintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Spark Summit
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
Valery Tkachenko
 
Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360
Carlos Sierra
 
Architecture & Pitfalls of Logical Replication
Architecture & Pitfalls of Logical ReplicationArchitecture & Pitfalls of Logical Replication
Architecture & Pitfalls of Logical Replication
Atsushi Torikoshi
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Flink SQL & TableAPI in Large Scale Production at Alibaba
Flink SQL & TableAPI in Large Scale Production at AlibabaFlink SQL & TableAPI in Large Scale Production at Alibaba
Flink SQL & TableAPI in Large Scale Production at Alibaba
DataWorks Summit
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 

Recommandé

MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016
Wagner Bianchi
 
Flintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Flintrock: A Faster, Better spark-ec2 by Nicholas ChammasFlintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Flintrock: A Faster, Better spark-ec2 by Nicholas Chammas
Spark Summit
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
Valery Tkachenko
 
Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360
Carlos Sierra
 
Architecture & Pitfalls of Logical Replication
Architecture & Pitfalls of Logical ReplicationArchitecture & Pitfalls of Logical Replication
Architecture & Pitfalls of Logical Replication
Atsushi Torikoshi
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Flink SQL & TableAPI in Large Scale Production at Alibaba
Flink SQL & TableAPI in Large Scale Production at AlibabaFlink SQL & TableAPI in Large Scale Production at Alibaba
Flink SQL & TableAPI in Large Scale Production at Alibaba
DataWorks Summit
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Netflix: From Clouds to Roots
Netflix: From Clouds to RootsNetflix: From Clouds to Roots
Netflix: From Clouds to Roots
Brendan Gregg
 
From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to Linux
Brendan Gregg
 
PostgreSQL Materialized Views with Active Record
PostgreSQL Materialized Views with Active RecordPostgreSQL Materialized Views with Active Record
PostgreSQL Materialized Views with Active Record
David Roberts
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 
MariaDB ColumnStore
MariaDB ColumnStoreMariaDB ColumnStore
MariaDB ColumnStore
MariaDB plc
 
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityBest practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Colin Charles
 
OOUG: Oracle transaction locking
OOUG: Oracle transaction lockingOOUG: Oracle transaction locking
OOUG: Oracle transaction locking
Kyle Hailey
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Evening out the uneven: dealing with skew in Flink
Evening out the uneven: dealing with skew in FlinkEvening out the uneven: dealing with skew in Flink
Evening out the uneven: dealing with skew in Flink
Flink Forward
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
Treasure Data, Inc.
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
Altinity Ltd
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
Brendan Gregg
 
Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with Waffle
Daniel Doubrovkine
 
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark WuVirtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Flink Forward
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
Carlos Sierra
 
KR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideKR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard Guide
Clément OUDOT
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
Clément OUDOT
 

Contenu connexe

Tendances

From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to Linux
Brendan Gregg
 
OOUG: Oracle transaction locking
OOUG: Oracle transaction lockingOOUG: Oracle transaction locking
OOUG: Oracle transaction locking
Kyle Hailey
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
Brendan Gregg
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
Brendan Gregg
 
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark WuVirtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Flink Forward
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
Carlos Sierra
 

Tendances (20)

Netflix: From Clouds to Roots
Netflix: From Clouds to RootsNetflix: From Clouds to Roots
Netflix: From Clouds to Roots
 
From DTrace to Linux
From DTrace to LinuxFrom DTrace to Linux
From DTrace to Linux
 
PostgreSQL Materialized Views with Active Record
PostgreSQL Materialized Views with Active RecordPostgreSQL Materialized Views with Active Record
PostgreSQL Materialized Views with Active Record
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 
MariaDB ColumnStore
MariaDB ColumnStoreMariaDB ColumnStore
MariaDB ColumnStore
 
Best practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High AvailabilityBest practices for MySQL/MariaDB Server/Percona Server High Availability
Best practices for MySQL/MariaDB Server/Percona Server High Availability
 
OOUG: Oracle transaction locking
OOUG: Oracle transaction lockingOOUG: Oracle transaction locking
OOUG: Oracle transaction locking
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
LISA2019 Linux Systems Performance
LISA2019 Linux Systems PerformanceLISA2019 Linux Systems Performance
LISA2019 Linux Systems Performance
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
Evening out the uneven: dealing with skew in Flink
Evening out the uneven: dealing with skew in FlinkEvening out the uneven: dealing with skew in Flink
Evening out the uneven: dealing with skew in Flink
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
ClickHouse Unleashed 2020: Our Favorite New Features for Your Analytical Appl...
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 
Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with Waffle
 
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark WuVirtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
Virtual Flink Forward 2020: A deep dive into Flink SQL - Jark Wu
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
 

En vedette

Bq121 g formation-ibm-security-qradar-siem-administration-et-configuration
Bq121 g formation-ibm-security-qradar-siem-administration-et-configurationBq121 g formation-ibm-security-qradar-siem-administration-et-configuration
Bq121 g formation-ibm-security-qradar-siem-administration-et-configuration
CERTyou Formation
 
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNICMatinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
Clément OUDOT
 
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
Clément OUDOT
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
난공불락세미나 Ldap
난공불락세미나 Ldap난공불락세미나 Ldap
난공불락세미나 Ldap
sprdd
 

En vedette (20)

KR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideKR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard Guide
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
Bq121 g formation-ibm-security-qradar-siem-administration-et-configuration
Bq121 g formation-ibm-security-qradar-siem-administration-et-configurationBq121 g formation-ibm-security-qradar-siem-administration-et-configuration
Bq121 g formation-ibm-security-qradar-siem-administration-et-configuration
 
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnRMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
 
RMLL 2014 - Site statique avec Templer, Bootstrap et Git
RMLL 2014 - Site statique avec Templer, Bootstrap et GitRMLL 2014 - Site statique avec Templer, Bootstrap et Git
RMLL 2014 - Site statique avec Templer, Bootstrap et Git
 
The guide of Security Jerk
The guide of Security JerkThe guide of Security Jerk
The guide of Security Jerk
 
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNICMatinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
Matinée Pour Comprendre LinID - Retour d'expérience de l'AFNIC
 
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
Matinée Pour Comprendre LinID - Intégration du serveur Active Directory avec ...
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016
 
Le Guide du Connard du Logiciel Libre
Le Guide du Connard du Logiciel LibreLe Guide du Connard du Logiciel Libre
Le Guide du Connard du Logiciel Libre
 
RMLL 2014 - LDAP Synchronization Connector
RMLL 2014 - LDAP Synchronization ConnectorRMLL 2014 - LDAP Synchronization Connector
RMLL 2014 - LDAP Synchronization Connector
 
[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview
 
난공불락세미나 Ldap
난공불락세미나 Ldap난공불락세미나 Ldap
난공불락세미나 Ldap
 
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NGS2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
 
Revista IM Farmacias. Distribución farmacéutica
Revista IM Farmacias. Distribución farmacéutica Revista IM Farmacias. Distribución farmacéutica
Revista IM Farmacias. Distribución farmacéutica
 
Recull premsa
Recull premsaRecull premsa
Recull premsa
 
Tweetbook de (re)tuiteos por @exilioyregreso: "El Barco del Exilio en Twitter"
Tweetbook de (re)tuiteos por @exilioyregreso: "El Barco del Exilio en Twitter"Tweetbook de (re)tuiteos por @exilioyregreso: "El Barco del Exilio en Twitter"
Tweetbook de (re)tuiteos por @exilioyregreso: "El Barco del Exilio en Twitter"
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect
 

Similaire à Analyse OpenLDAP logs with ELK

Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and Architecture
Sidney Chen
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
Nginx Scripting - Extending Nginx Functionalities with Lua
Nginx Scripting - Extending Nginx Functionalities with LuaNginx Scripting - Extending Nginx Functionalities with Lua
Nginx Scripting - Extending Nginx Functionalities with Lua
Tony Fabeen
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
Tony Fabeen
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Anthony Marchenko
 

Similaire à Analyse OpenLDAP logs with ELK (20)

Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨Nodejs性能分析优化和分布式设计探讨
Nodejs性能分析优化和分布式设计探讨
 
Hotsos Advanced Linux Tools
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and Architecture
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Event-driven Network Automation and Orchestration
Event-driven Network Automation and OrchestrationEvent-driven Network Automation and Orchestration
Event-driven Network Automation and Orchestration
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and accelerating
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
 
Build a DataWarehouse for your logs with Python, AWS Athena and Glue
Build a DataWarehouse for your logs with Python, AWS Athena and GlueBuild a DataWarehouse for your logs with Python, AWS Athena and Glue
Build a DataWarehouse for your logs with Python, AWS Athena and Glue
 
Application Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.keyApplication Logging in the 21st century - 2014.key
Application Logging in the 21st century - 2014.key
 
Streaming huge databases using logical decoding
Streaming huge databases using logical decodingStreaming huge databases using logical decoding
Streaming huge databases using logical decoding
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Nginx Scripting - Extending Nginx Functionalities with Lua
Nginx Scripting - Extending Nginx Functionalities with LuaNginx Scripting - Extending Nginx Functionalities with Lua
Nginx Scripting - Extending Nginx Functionalities with Lua
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
 
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир КирилловПроблемы использования TCP в мобильных приложениях. Владимир Кириллов
Проблемы использования TCP в мобильных приложениях. Владимир Кириллов
 

Plus de Clément OUDOT

[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
Clément OUDOT
 
JDLL 2014 - Introduction aux annuaires LDAP
JDLL 2014 - Introduction aux annuaires LDAPJDLL 2014 - Introduction aux annuaires LDAP
JDLL 2014 - Introduction aux annuaires LDAP
Clément OUDOT
 
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
Clément OUDOT
 

Plus de Clément OUDOT (16)

[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
 
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project
 
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
 
[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre
 
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités ![OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
 
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
 
[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre
 
[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017
 
[RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités ![RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités !
 
[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG
 
[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 
RMLL 2014 - OpenLDAP - Manage password policy
RMLL 2014 - OpenLDAP - Manage password policyRMLL 2014 - OpenLDAP - Manage password policy
RMLL 2014 - OpenLDAP - Manage password policy
 
JDLL 2014 - Introduction aux annuaires LDAP
JDLL 2014 - Introduction aux annuaires LDAPJDLL 2014 - Introduction aux annuaires LDAP
JDLL 2014 - Introduction aux annuaires LDAP
 
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
Matinée Pour Comprendre LinID - Mise en place de la fédération des identités...
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Analyse OpenLDAP logs with ELK

  • 1. Analyse logs with ElasticSearch, Logstash and Kibana
  • 2. 2 Clément OUDOT @clementoudot ● Founded in 1999 ● >100 persons ● Montréal, Quebec City, Ottawa, Paris ● ISO 9001:2004 / ISO 14001:2008 ● contact@savoirfairelinux.com
  • 3. 3 Summary 11 22 33 The ELK stack Format of OpenLDAP logs OpenLDAP with ELK
  • 6. 6 Elasticsearch ● Written in Java ● License Apache 2.0 ● Based on Lucene ● JSON ● REST ● Distributed ● Index and fields
  • 7. 7 clement@ader-sfl:~$ curl http://localhost:9200 { "status" : 200, "name" : "Mahkizmo", "cluster_name" : "elasticsearch", "version" : { "number" : "1.6.0", "build_hash" : "cdd3ac4dde4f69524ec0a14de3828cb95bbb86d0", "build_timestamp" : "2015-06-09T13:36:34Z", "build_snapshot" : false, "lucene_version" : "4.10.4" }, "tagline" : "You Know, for Search" }
  • 9. 9 Logstash ● JRuby ● License Apache 2.0 ● Multiple inputs (file, syslog, ...) ● Multiple outputs (console, redis, elasticsearch, …) ● Filters
  • 10. 10 root@ader-sfl:~# /opt/logstash/bin/logstash -e 'input { stdin { } } output { stdout { codec => rubydebug } }' Logstash startup completed RMLL 2015 { "message" => "RMLL 2015", "@version" => "1", "@timestamp" => "2015-07-02T08:29:09.363Z", "host" => "ader-sfl" }
  • 11. 11 Grok ● Grok allows to parse message and store content in fields ● Grok comes with standard patterns (Syslog, Apache, …) ● You can also define you own patterns ● Grok debugger: http://grokdebug.herokuapp.com/
  • 12. 12 Example of grok patterns # Log formats SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?% {SYSLOGHOST:logsource} %{SYSLOGPROG}: COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" % {NUMBER:response} (?:%{NUMBER:bytes}|-) COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
  • 13. 13 Using grok in logstash input { file { path => "/var/log/http.log" } } filter { grok { match => { "message" => "%{IP:client} %{WORD:method} % {URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" } } } 55.3.244.1 GET /index.html 15824 0.043
  • 14. 14 Kibana ● Javascript ● License Apache 2.0 ● Connect to elasticsearch ● Lucene queries ● On the fly graphics
  • 15. 15
  • 18. 18 Logging in OpenLDAP ● Relies on syslog ● Log levels are cumulative ● Log level is configured in olcLogLevel parameter in cn=config dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: stats
  • 19. 19 Level Keyword Description -1 any enable all debugging 0   no debugging 1 (0x1 trace) trace function calls 2 (0x2 packets) debug packet handling 4 (0x4 args) heavy trace debugging 8 (0x8 conns) connection management 16 (0x10 BER) print out packets sent and received 32 (0x20 filter) search filter processing 64 (0x40 config) configuration processing 128 (0x80 ACL) access control list processing 256 (0x100 stats) stats log connections/operations/results 512 (0x200 stats2) stats log entries sent 1024 (0x400 shell) print communication with shell backends 2048 (0x800 parse) print entry parsing debugging 16384 (0x4000 sync) syncrepl consumer processing 32768 (0x8000 none) only messages that get logged whatever log level is set
  • 20. 20 Information in the “stats” loglevel ● Connections (opening, closing, TLS, ...) ● Operations and results ● Errors and warnings: – Missing index – Connection lost – Password policy messages – ...
  • 21. 21 Connections Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162707 fd=12 ACCEPT from IP=127.0.0.1:44678 (IP=0.0.0.0:389) ... Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162707 fd=12 closed
  • 22. 22 Operation: BIND and UNBIND Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 BIND dn="cn=admin,dc=example,dc=com" method=128 Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=3 RESULT tag=97 err=0 text= Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162708 op=7 UNBIND
  • 23. 23 Operation: SEARCH Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SRCH base="ou=users,dc=example,dc=com" scope=1 deref=0 filter="(objectClass=*)" Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SRCH attr=uid Jul 1 15:27:39 ader-sfl slapd[1377]: conn=162709 op=5 SEARCH RESULT tag=101 err=0 nentries=50 text=
  • 24. 24 Operation: MODIFY Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 MOD dn="uid=user1,ou=users,dc=example,dc=com" Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 MOD attr=userPassword Jul 1 16:10:36 ader-sfl slapd[1377]: conn=162711 op=17 RESULT tag=103 err=0 text=
  • 25. 25 Errors and warnings Jul 1 17:18:48 ader-sfl slapd[1377]: conn=162711 fd=12 closed (connection lost) Jul 1 09:28:40 ader-sfl slapd[1377]: connection_input: conn=93309 deferring operation: binding Jul 2 08:41:02 ader-sfl slapd[1377]: <= mdb_equality_candidates: (objectClass) not indexed Jul 1 16:23:46 ader-sfl slapd[1377]: ppolicy_bind: Setting warning for password expiry for uid=user1,ou=users,dc=example,dc=com = 589 seconds
  • 26. 26 Logfile alternatives ● Overlay accesslog : log events in an LDAP backend ● Overlay auditlog : log events in an LDIF file
  • 28. 28 Configure logstash ● Input: – OpenLDAP logfile – Syslog ● Filters: – Syslog Grok pattern – Date – OpenLDAP specific log patterns ● Output: elasticsearch
  • 29. 29 Main grok pattern %{SYSLOGBASE} (?:(?:<= (?:b|m)db_% {DATA:index_error_filter_type}_candidates: (% {WORD:index_error_attribute_name}) not indexed)|(?:ppolicy_% {DATA:ppolicy_op}: %{DATA:ppolicy_data})|(?:connection_input: conn=% {INT:connection} deferring operation: %{DATA:deferring_op})| (?:connection_read(%{INT:fd_number}): no connection!)|(?:conn=% {INT:connection} (?:(?:fd=%{INT:fd_number} (?:(?:closed(?: (connection lost)|))|(?:ACCEPT from IP=%{IP:src_ip}:%{INT:src_port} (IP=% {IP:dst_ip}:%{INT:dst_port}))|(?:TLS established tls_ssf=% {INT:tls_ssf} ssf=%{INT:ssf})))|(?:op=%{INT:operation_number} (?:(?:(?: (?:SEARCH )|(?:))RESULT (?:tag=%{INT:tag}|oid=(?:%{DATA:oid}(?:))) err=% {INT:error_code}(?:(?: nentries=%{INT:nentries})|(?:)) text=(?:(?:% {DATA:error_text})|(?:)))|(?:%{WORD:operation_name}(?:(?: %{DATA:data})| (?:))))))))%{SPACE}$
  • 30. 30 Conditional grok pattern if [operation_name] == "SRCH" { grok { match => [ "data", "(?:(?:base="%{DATA:search_base}" scope=% {INT:search_scope} deref=%{INT:search_deref} filter="% {DATA:search_filter}")|(?:attr=%{DATA:search_attr}))%{SPACE}$" ] } } if [operation_name] == "ADD" { grok { match => [ "data", "dn="%{DATA:add_dn}"%{SPACE}$" ] } }
  • 31. 31 Display data in Kibana ● Access to all logged messages ● Query data, for example: – Follow a connection: connection=162738 – Find missing index: _exists_:index_error_attribute_name ● Create dashboards, for example: – LDAP operations – LDAP error codes
  • 32. 32