Greetings;

I have a similiar eDirectory setup, and I am seeing LDAP data in my logs.

None of my ldap data is getting searched by my LDAP app, do I need to define a sourcetype?

My data currently contains "source=tcp:1289", and "sourcetype=syslog".

Thank you.

Hi, hopefully you have solved your problem by now, but in case you didn't... Two very important questions first;

1. Are you sure that you are NOT getting the events?
2. How did you check that?

You say you created a new index to store these events - but does your role have access rights to the index in question. Also, if you have, does this index get searched by default?
Go to Manager -> Access Controls -> Roles -> your role. At the bottom of the page you should find settings that control which indexes you can search.

Have you monitored network traffic on the port in question? Firewall in between?

Are the timestamps a possible source of trouble? If they are not parsed correctly, your events may end up in a different hour/day or even year. So running a search for 'last 60 min' may not be sufficient. Try a search for 'All time'.

Sorry if this seems like basic stuff - but these are probably the most common reasons why users do not see the events they are expecting to.

Hope this helps,

Kristian

Thanks for the link Dave. I had come across that previously, however it doesn't seem to explain how this is setup. I have had a look at the associated link on the answer, but still no closer to understanding what I would need to change.

I am using the latest patches of Novell Audit on a fairly new Audit VM, sending events on port 1289. I have a Splunk free box setup listening on 1289 but it never receives any audit events.It might be I have missed something in Splunk as I am new to this product.

Saw this - hope its useful: http://splunk-base.splunk.com/answers/8688/monitoring-novell-edirectory-events-with-splunk
br
D

Anyone have any thoughts? Surely I am not the first to have tried this?