topic eDirectory events in Getting Data In

eDirectory events

splunker2013 — Mon, 28 Jan 2013 15:25:56 GMT

Hi everyone,

Has anyone successfully captured audit events from the Novell Audit agent for eDirectory or IDM products? I am new to SPLUNK and wonder if this is possible. I have had a look at your free edition, and have setup a TCP listener on the correct port (1289) which forwards onto an index specifically for this event source type. I have configured the audit events from the eDirectory side and generated some sample events, yet nothing appears in SPLUNK under that index.

Is there some other steps to follow. Apologies in advance if I have missed something obvious as I am completely new to SPLUNK.

Thanks

Re: eDirectory events

splunker2013 — Wed, 30 Jan 2013 09:56:15 GMT

Anyone have any thoughts? Surely I am not the first to have tried this?

Re: eDirectory events

DaveSavage — Wed, 30 Jan 2013 11:05:55 GMT

Saw this - hope its useful: http://splunk-base.splunk.com/answers/8688/monitoring-novell-edirectory-events-with-splunk
br
D

Re: eDirectory events

splunker2013 — Wed, 06 Feb 2013 16:08:15 GMT

Thanks for the link Dave. I had come across that previously, however it doesn't seem to explain how this is setup. I have had a look at the associated link on the answer, but still no closer to understanding what I would need to change.

I am using the latest patches of Novell Audit on a fairly new Audit VM, sending events on port 1289. I have a Splunk free box setup listening on 1289 but it never receives any audit events.It might be I have missed something in Splunk as I am new to this product.

Re: eDirectory events

kristian_kolb — Mon, 25 Mar 2013 11:48:58 GMT

Hi, hopefully you have solved your problem by now, but in case you didn't... Two very important questions first;

Are you sure that you are NOT getting the events?
How did you check that?

You say you created a new index to store these events - but does your role have access rights to the index in question. Also, if you have, does this index get searched by default?
Go to Manager -> Access Controls -> Roles -> your role. At the bottom of the page you should find settings that control which indexes you can search.

Have you monitored network traffic on the port in question? Firewall in between?

Are the timestamps a possible source of trouble? If they are not parsed correctly, your events may end up in a different hour/day or even year. So running a search for 'last 60 min' may not be sufficient. Try a search for 'All time'.

Sorry if this seems like basic stuff - but these are probably the most common reasons why users do not see the events they are expecting to.

Hope this helps,

Kristian

Re: eDirectory events

genrehawk — Mon, 25 Aug 2014 20:50:00 GMT

Greetings;

I have a similiar eDirectory setup, and I am seeing LDAP data in my logs.

None of my ldap data is getting searched by my LDAP app, do I need to define a sourcetype?

My data currently contains "source=tcp:1289", and "sourcetype=syslog".

Thank you.

Re: eDirectory events

dominiquevocat — Fri, 17 Aug 2018 09:34:54 GMT

You could use xdas, just use a pattern with no timestamp and index it as json.
I do a fair lot of edirectory and idm stuff if you need more...