Based on my research, eDirectory did not produce login and logoff logs of any sort until this patch (see link below) was released back in 2008.
Once that patch is installed, it should start logging as one would expect.
Previously you needed to install an NLM module directly on the server to connect.
(Please see http://www.visualclick.com/content/dsrazornw.htm)
Once this is setup, then we should be able to setup a log file monitor on the log and indexing will be instant, as expected.
what kinds of events do you want?
if you use Identity Manager i might be able to help some, i wrote a driver that logs all attributes in place in the filter to Splunk via Syslog.
Would you mind sharing whatever you've done in order to get this working properly?
Right now, my logs are inbound to tcp:1289, and with a sourcetype of syslog; defined as such under data types.
Thank you in advance.
Sorry, i did not get some notification. Please feel free to mail me. I might be able to refine it and maybe do an app.
But basically you could just index the XDAS via Syslog as this easiest. It basically is json i think. We did something with a DirXML Driver and a simple policy.
Dominique or anyone paying attention to this thread,
I have XDAS eDirectory events coming in via syslog as a source type _json. I'm very new to this, but I'm having a hard time extracting fields can you share how you have done this. Every time I go to attempt to extract fields it complains because many of the Events have multiples. Some of the logs have as many as 257 lines. It may be an error in the setup coming from the eDirectory servers. Do you have any guidance on fixing it?
Hi, first of all i didn't open the thread so i was not notified sorry.
Um, i really need to compile a set of sourcetypes and so on... i have a couple of scripts to collect stats and dashboards and so on. Alternatively there is a swiss company (Skypro) that developed something based on open source software that does a lot of what you might want to do.
Anyway, the trick i once tried with xdas was to change the patter for the syslog config to include a date and timestamp and then define a sourcetype that breaks on that pattern. The json format is quit verbose though.
What we do is mostly log directory stuff we want to know in a driver so you just filter for the operations you want to know and log it. Currently we use idmlog4j but i would like to test the java class for logging but it needs to be only using static methods else it won't work. Alternatively i am looking into using the http event collector and the rest driver but yeah, it works now so why change much.
We also collect some logfiles, ldap stats and dxcmd info using a forwarder but its not polished at all.
I can give the code we use i guess...