# openldap-log-parser Parse openldap log, and output json format At the moment, openldap-log-parser focus on these log levels: - 256 (stats log connections/operations/results) ## Install Copy `openldap-log-parser` into your PATH and set executable flag. ## Usage Input openldap logs as os stdin. ``` console # cat /var/log/slapd.log | ./openldap-log-parser | jq { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "operations": [ { "time": "2022-07-20T10:03:42.856796+02:00", "op_type": "accept" }, { "time": "2022-07-20T10:03:42.856847+02:00", "op_type": "bind", "op_id": 0, "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org", "bind_method": "128", "result_tag": "97", "result_err": 0 }, { "time": "2022-07-20T10:03:42.8572+02:00", "op_type": "search", "op_id": 1, "search_base": "dc=domain,dc=org", "search_scope": "2", "search_deref": "0", "search_filter": "(cn=cuicui)", "search_attr": "dn ", "search_res_tag": "101", "search_res_err": 0, "search_res_nentries": 1 }, { "time": "2022-07-20T10:03:42.857572+02:00", "op_type": "bind", "op_id": 2, "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org", "bind_method": "128", "result_tag": "97", "result_err": 0 }, { "time": "2022-07-20T10:03:42.857891+02:00", "op_type": "close" } ], "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "conn_id": 1699, "conn_fd": 41, "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org", "bind_method": null, "bind_mech": null, "bind_ssf": null, "ssf": null, "starttls": false } ``` Use -f flag to flatten json structure: ``` console # cat /var/log/slapd.log | ./openldap-log-parser -f | jq { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "conn_id": 1699, "conn_fd": 41, "op_type": "accept" } { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org", "conn_id": 1699, "conn_fd": 41, "op_id": 0, "op_type": "bind", "bind_method": "128", "result_tag": "97", "result_err": 0 } { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "bind_dn": "cn=meuh,ou=users,dc=domain,dc=org", "conn_id": 1699, "conn_fd": 41, "op_id": 1, "op_type": "search", "search_base": "dc=domain,dc=org", "search_scope": "2", "search_deref": "0", "search_filter": "(cn=cuicui)", "search_attr": "dn ", "search_res_tag": "101", "search_res_err": 0, "search_res_nentries": 1 } { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org", "conn_id": 1699, "conn_fd": 41, "op_id": 2, "op_type": "bind", "bind_method": "128", "result_tag": "97", "result_err": 0 } { "time": "2022-07-20T10:03:42.856796+02:00", "hostname": "ldap.domain.org", "process": "slapd[82581]", "client_ip": "10.11.12.14", "client_port": 30390, "server_ip": "0.0.0.0", "server_port": 389, "bind_dn": "cn=cuicui,ou=users,dc=domain,dc=org", "conn_id": 1699, "conn_fd": 41, "op_type": "close" } ``` Use "-o filename.json" to write output to file. ## Piping rsyslog to openldap-log-parser You can feed syslog to openldap-log-parser by using "omprog" rsyslog module, with template "RSYSLOG_FileFormat" : ``` console module(load="omprog") [...] if $programname == "slapd" then action( type="omprog" binary="/usr/local/bin/openldap-log-parser -f -o /var/log/slapd.log.json" template="RSYSLOG_FileFormat") ``` openldap-log-parser can also be used as a service. It will listen on tcp, accepting syslog messages and converting them to json. The json file can then be read by rsyslog and sent to a log management tool like Graylog or Splunk.