Parse openldap log, and output json format
Go to file
2023-01-03 13:24:50 +01:00
openldap-log-parser version bump to 0.6.13 2023-01-03 13:24:50 +01:00
rsyslog Add rsyslog to graylog example config file 2022-11-13 14:00:44 +01:00
test New test 2022-07-23 13:31:33 +02:00
.gitignore first commit 2022-07-21 19:03:24 +02:00
go.mod first commit 2022-07-21 19:03:24 +02:00
go.sum first commit 2022-07-21 19:03:24 +02:00
LICENSE first commit 2022-07-21 19:03:24 +02:00
openldap-log-parser_test.go Parser unit tests 2022-07-23 17:39:54 +02:00
openldap-log-parser.go Who says PID should be limited to 99999? 2023-01-03 13:23:12 +01:00
README.md comment/help 2022-07-21 19:09:30 +02:00

openldap-log-parser

Parse openldap log, and output json format
At the moment, openldap-log-parser focus on these log levels:

  • 256 (stats log connections/operations/results)

Install

Copy openldap-log-parser into your PATH and set executable flag.

Usage

Input openldap logs as os stdin.

# cat /var/log/slapd.log | ./openldap-log-parser | jq
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "operations": [
    {
      "time": "2022-07-20T10:03:42.856796+02:00",
      "op_type": "accept"
    },
    {
      "time": "2022-07-20T10:03:42.856847+02:00",
      "op_type": "bind",
      "op_id": 0,
      "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
      "bind_method": "128",
      "result_tag": "97",
      "result_err": 0
    },
    {
      "time": "2022-07-20T10:03:42.8572+02:00",
      "op_type": "search",
      "op_id": 1,
      "search_base": "dc=domain,dc=org",
      "search_scope": "2",
      "search_deref": "0",
      "search_filter": "(cn=cuicui)",
      "search_attr": "dn ",
      "search_res_tag": "101",
      "search_res_err": 0,
      "search_res_nentries": 1
    },
    {
      "time": "2022-07-20T10:03:42.857572+02:00",
      "op_type": "bind",
      "op_id": 2,
      "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
      "bind_method": "128",
      "result_tag": "97",
      "result_err": 0
    },
    {
      "time": "2022-07-20T10:03:42.857891+02:00",
      "op_type": "close"
    }
  ],
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "conn_id": 1699,
  "conn_fd": 41,
  "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
  "bind_method": null,
  "bind_mech": null,
  "bind_ssf": null,
  "ssf": null,
  "starttls": false
}

Use -f flag to flatten json structure:

# cat /var/log/slapd.log | ./openldap-log-parser -f | jq
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "conn_id": 1699,
  "conn_fd": 41,
  "op_type": "accept"
}
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
  "conn_id": 1699,
  "conn_fd": 41,
  "op_id": 0,
  "op_type": "bind",
  "bind_method": "128",
  "result_tag": "97",
  "result_err": 0
}
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org",
  "conn_id": 1699,
  "conn_fd": 41,
  "op_id": 1,
  "op_type": "search",
  "search_base": "dc=domain,dc=org",
  "search_scope": "2",
  "search_deref": "0",
  "search_filter": "(cn=cuicui)",
  "search_attr": "dn ",
  "search_res_tag": "101",
  "search_res_err": 0,
  "search_res_nentries": 1
}
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
  "conn_id": 1699,
  "conn_fd": 41,
  "op_id": 2,
  "op_type": "bind",
  "bind_method": "128",
  "result_tag": "97",
  "result_err": 0
}
{
  "time": "2022-07-20T10:03:42.856796+02:00",
  "hostname": "ldap.domain.org",
  "process": "slapd[82581]",
  "client_ip": "10.11.12.14",
  "client_port": 30390,
  "server_ip": "0.0.0.0",
  "server_port": 389,
  "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org",
  "conn_id": 1699,
  "conn_fd": 41,
  "op_type": "close"
}

Use "-o filename.json" to write output to file.

Piping rsyslog to openldap-log-parser

You can feed syslog to openldap-log-parser by using "omprog" rsyslog module, with template "RSYSLOG_FileFormat" :

module(load="omprog")
[...]
if $programname == "slapd" then
action(
    type="omprog"
    binary="/usr/local/bin/openldap-log-parser -f -o /var/log/slapd.log.json"
    template="RSYSLOG_FileFormat")

openldap-log-parser can also be used as a service. It will listen on tcp, accepting syslog messages and converting them to json.
The json file can then be read by rsyslog and sent to a log management tool like Graylog or Splunk.