Parse openldap log, and output json format
openldap-log-parser | ||
rsyslog | ||
test | ||
.gitignore | ||
go.mod | ||
go.sum | ||
LICENSE | ||
openldap-log-parser_test.go | ||
openldap-log-parser.go | ||
README.md |
openldap-log-parser
Parse openldap log, and output json format
At the moment, openldap-log-parser focus on these log levels:
- 256 (stats log connections/operations/results)
Install
Copy openldap-log-parser
into your PATH and set executable flag.
Usage
Input openldap logs as os stdin.
# cat /var/log/slapd.log | ./openldap-log-parser | jq
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"operations": [
{
"time": "2022-07-20T10:03:42.856796+02:00",
"op_type": "accept"
},
{
"time": "2022-07-20T10:03:42.856847+02:00",
"op_type": "bind",
"op_id": 0,
"bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
"bind_method": "128",
"result_tag": "97",
"result_err": 0
},
{
"time": "2022-07-20T10:03:42.8572+02:00",
"op_type": "search",
"op_id": 1,
"search_base": "dc=domain,dc=org",
"search_scope": "2",
"search_deref": "0",
"search_filter": "(cn=cuicui)",
"search_attr": "dn ",
"search_res_tag": "101",
"search_res_err": 0,
"search_res_nentries": 1
},
{
"time": "2022-07-20T10:03:42.857572+02:00",
"op_type": "bind",
"op_id": 2,
"bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
"bind_method": "128",
"result_tag": "97",
"result_err": 0
},
{
"time": "2022-07-20T10:03:42.857891+02:00",
"op_type": "close"
}
],
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"conn_id": 1699,
"conn_fd": 41,
"bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
"bind_method": null,
"bind_mech": null,
"bind_ssf": null,
"ssf": null,
"starttls": false
}
Use -f flag to flatten json structure:
# cat /var/log/slapd.log | ./openldap-log-parser -f | jq
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"conn_id": 1699,
"conn_fd": 41,
"op_type": "accept"
}
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
"conn_id": 1699,
"conn_fd": 41,
"op_id": 0,
"op_type": "bind",
"bind_method": "128",
"result_tag": "97",
"result_err": 0
}
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
"conn_id": 1699,
"conn_fd": 41,
"op_id": 1,
"op_type": "search",
"search_base": "dc=domain,dc=org",
"search_scope": "2",
"search_deref": "0",
"search_filter": "(cn=cuicui)",
"search_attr": "dn ",
"search_res_tag": "101",
"search_res_err": 0,
"search_res_nentries": 1
}
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
"conn_id": 1699,
"conn_fd": 41,
"op_id": 2,
"op_type": "bind",
"bind_method": "128",
"result_tag": "97",
"result_err": 0
}
{
"time": "2022-07-20T10:03:42.856796+02:00",
"hostname": "ldap.domain.org",
"process": "slapd[82581]",
"client_ip": "10.11.12.14",
"client_port": 30390,
"server_ip": "0.0.0.0",
"server_port": 389,
"bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
"conn_id": 1699,
"conn_fd": 41,
"op_type": "close"
}
Use "-o filename.json" to write output to file.
Piping rsyslog to openldap-log-parser
You can feed syslog to openldap-log-parser by using "omprog" rsyslog module, with template "RSYSLOG_FileFormat" :
module(load="omprog")
[...]
if $programname == "slapd" then
action(
type="omprog"
binary="/usr/local/bin/openldap-log-parser -f -o /var/log/slapd.log.json"
template="RSYSLOG_FileFormat")
openldap-log-parser can also be used as a service. It will listen on tcp, accepting syslog messages and converting them to json.
The json file can then be read by rsyslog and sent to a log management tool like Graylog or Splunk.