Re: Need help unpicking stats logging

[Philip Colmer <philip.colmer@linaro.org>]

Many thanks, Emmanuel, for your quick reply.

That is certainly helping me figure out what is going on. It looks
like one or two of the client systems aren't correctly configured and
this is helping me pin them down.

Regards

Philip



On 1 April 2016 at 11:49, Emmanuel Lécharny <elecharny@gmail.com> wrote:
> Le 01/04/16 12:45, Philip Colmer a écrit :
>> I've currently got stats logging turned on while I try to troubleshoot
>> an application and I've noticed some rather strange searches going on.
>> Strange in that the searches are for very high uidNumber values or for
>> uid values that don't exist ... suggesting that someone might be
>> trying to grab data from our server.
>>
>> What I'm struggling with is trying to figure out from the logs (a) the
>> IP address that these queries are coming from and/or (b) the
>> authenticated account being used (even if anonymous).
>>
>> For example, if I have a log line like this:
>>
>> conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2
>> deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
>>
>> is there anything I can do with the conn or op values to connect that
>> particular search query to an earlier logged BIND log entry?
>
> Just grep your log for 'conn=1928683', it will give you all the history
> for the 'user' that did the search.
>
> Now, FTR, that serach really looks like a PAM LDAP or a SSSD search.
> Pretty standard.
>