[Date Prev][Date Next] [Chronological] [Thread] [Top]

Need help unpicking stats logging

To: openldap-technical@openldap.org
Subject: Need help unpicking stats logging
From: Philip Colmer <philip.colmer@linaro.org>
Date: Fri, 1 Apr 2016 11:45:02 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:date:message-id:subject:from:to; bh=HVHcNPoTLjHh83/1q5tCn/dW3H45+x/nbWWAA0ZZzqA=; b=kVLlhIASvOLXY5iv4K/YjpnPuPLZoXx8QUHNkcU49hSyKq4TO2QnDjuE7B4HKMQ2Ak 7jrXwUWHDpBW5hld47vduQOZt+CtU8Ou4fXWuURDR+aj54LqF86eV9RB4Ja+qZUyyBX9 nQWN0sGgiYQj+wgCbOmmarichf+XEF+M/Gm5k=

I've currently got stats logging turned on while I try to troubleshoot
an application and I've noticed some rather strange searches going on.
Strange in that the searches are for very high uidNumber values or for
uid values that don't exist ... suggesting that someone might be
trying to grab data from our server.

What I'm struggling with is trying to figure out from the logs (a) the
IP address that these queries are coming from and/or (b) the
authenticated account being used (even if anonymous).

For example, if I have a log line like this:

conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2
deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"

is there anything I can do with the conn or op values to connect that
particular search query to an earlier logged BIND log entry?

Or is there a different/better way for me to try and get the
information I'm after?

Thanks.

Philip

Follow-Ups:
- Antw: Need help unpicking stats logging
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: Making a full replica: slapd -c "rid=xxx" doesn't seem to work
Next by Date: Re: Need help unpicking stats logging
Index(es):
- Chronological
- Thread