Getting Data In

Monitoring Novell eDirectory events with Splunk

tgow
Splunk Employee
Splunk Employee

Has anyone used Splunk to monitor Novell eDirectory events? I need to know if there is a solution out there to replace Novell's Sentinel Log Manager.

0 Karma
1 Solution

maverick
Splunk Employee
Splunk Employee

Based on my research, eDirectory did not produce login and logoff logs of any sort until this patch (see link below) was released back in 2008.

http://download.novell.com/Download?buildid=RH_B5b3M6EQ~

Once that patch is installed, it should start logging as one would expect.

Previously you needed to install an NLM module directly on the server to connect.

(Please see http://www.visualclick.com/content/dsrazornw.htm)

Once this is setup, then we should be able to setup a log file monitor on the log and indexing will be instant, as expected.

View solution in original post

AMCollins
Explorer

Dominique or anyone paying attention to this thread,

I have XDAS eDirectory events coming in via syslog as a source type _json. I'm very new to this, but I'm having a hard time extracting fields can you share how you have done this. Every time I go to attempt to extract fields it complains because many of the Events have multiples. Some of the logs have as many as 257 lines. It may be an error in the setup coming from the eDirectory servers. Do you have any guidance on fixing it?

Thanks,
Aaron

0 Karma

dominiquevocat
Motivator

Hi, first of all i didn't open the thread so i was not notified sorry.

Um, i really need to compile a set of sourcetypes and so on... i have a couple of scripts to collect stats and dashboards and so on. Alternatively there is a swiss company (Skypro) that developed something based on open source software that does a lot of what you might want to do.
Anyway, the trick i once tried with xdas was to change the patter for the syslog config to include a date and timestamp and then define a sourcetype that breaks on that pattern. The json format is quit verbose though.

What we do is mostly log directory stuff we want to know in a driver so you just filter for the operations you want to know and log it. Currently we use idmlog4j but i would like to test the java class for logging but it needs to be only using static methods else it won't work. Alternatively i am looking into using the http event collector and the rest driver but yeah, it works now so why change much.

We also collect some logfiles, ldap stats and dxcmd info using a forwarder but its not polished at all.

I can give the code we use i guess...

0 Karma

genrehawk
New Member

Hi Dominique;

Would you mind sharing whatever you've done in order to get this working properly?
Right now, my logs are inbound to tcp:1289, and with a sourcetype of syslog; defined as such under data types.

Thank you in advance.

0 Karma

dominiquevocat
Motivator

Sorry, i did not get some notification. Please feel free to mail me. I might be able to refine it and maybe do an app.
But basically you could just index the XDAS via Syslog as this easiest. It basically is json i think. We did something with a DirXML Driver and a simple policy.

0 Karma

dominiquevocat
Motivator

what kinds of events do you want?
if you use Identity Manager i might be able to help some, i wrote a driver that logs all attributes in place in the filter to Splunk via Syslog.

0 Karma

maverick
Splunk Employee
Splunk Employee

Based on my research, eDirectory did not produce login and logoff logs of any sort until this patch (see link below) was released back in 2008.

http://download.novell.com/Download?buildid=RH_B5b3M6EQ~

Once that patch is installed, it should start logging as one would expect.

Previously you needed to install an NLM module directly on the server to connect.

(Please see http://www.visualclick.com/content/dsrazornw.htm)

Once this is setup, then we should be able to setup a log file monitor on the log and indexing will be instant, as expected.

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>