Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the user login details from ovd access logs

muralicbe83
New Member
‎12-30-2015 01:11 AM

Hi,

I have the ovd access logs as mentioned below where the conn field is common and from that i need to get the below details. may i know how this can be achieved.

IP - [ the value is - 10.193.30.202]
dn - [the value is - cn=1322337,ou=users,o=sc]
Result - SUCCESS [this based on value err=0]

==========================================================================
[2015-12-30T09:01:00.429+00:00] [octetstring] [NOTIFICATION] [] [com.octetstring.accesslog] [tid: 14] [ecid: 0000L7ieZqC7Y71pRso2yd1MWffR000004,0] conn=5921 fd=0 slot=0 connection from 10.193.30.202:50220 to 10.193.105.99:7501 port 7501

[2015-12-30T09:01:00.474+00:00] [octetstring] [NOTIFICATION] [OVD-20038] [com.octetstring.accesslog] [tid: 66] [ecid: 0000L7m7bAu7Y71pRso2yd1MWffR0004^o,0] conn=5,921 op=0 BIND dn=cn=1322337,ou=users,o=sc method=0 version=3

[2015-12-30T09:01:00.476+00:00] [octetstring] [NOTIFICATION] [OVD-20039] [com.octetstring.accesslog] [tid: 66] [ecid: 0000L7m7bAu7Y71pRso2yd1MWffR0004^o,0] conn=5,921 op=0 RESULT err=0 tag=0 nentries=0 etime=0

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎12-30-2015 11:07 AM

Try this

| extract pairdelim=" " kvdelim="=" | rex "from\s(?<ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | rex "dn=(?<dn>[^\s]+)" | eval result=case(err=0,"Success", err=null, "Success", 1=2, "Fail") | eval conn=replace(conn, ",", "") | streamstats latest(ip) as ip latest(dn) as dn latest(result) as result by conn
0 Karma
Reply

muralicbe83
New Member
‎12-31-2015 01:36 AM

I have tried the above search but it is not working.

from the access.log, by running the below search i will get the 3 lines which is mentioned in my previous post.

index=gf_ldap host=uklvadede03a source=*access.log "connection from" OR OVD-20038 OR OVD-20039 |transaction conn

from this search when i tried to add your search query, i am not getting the exact output which i need as per below format.

exact query used

index=gf_ldap host=uklvadede03a source=*access.log "connection from" OR OVD-20038 OR OVD-20039 |transaction conn |extract pairdelim=" " kvdelim="=" | rex "from\s(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | rex "dn=(?[^\s]+)" | eval result=case(err=0,"Success", err=null, "Success", 1=2, "Fail") | eval conn=replace(conn, ",", "") | streamstats latest(ip) as ip latest(dn) as dn latest(result) as result by conn

Output format

timelime, IP, dn, Result

Sample

2015-12-30T09:01:00.429, 10.193.30.202,Success

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...