Security

How can we extract an ldap (Oracle) directory audit file event?

ddrillic
Ultra Champion

We have in the ldap (Oracle) directory audit file, the following layout -

time: 20180724072339
dn: uid=<uid>,ou=people,dc=<dc>,dc=com
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 2
-
add: pwdFailureTime
pwdFailureTime: 20180724122331.986Z
-
<blank line>

How can we extract the event from the time: part until the blank line?

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Let's give this a try first (props.conf on your indexer/heavy forwarder)

[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Let's give this a try first (props.conf on your indexer/heavy forwarder)

[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14
0 Karma

ddrillic
Ultra Champion

Gorgeous @somesoni2 as usual. Please convert to an answer ; -)

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So you want to consider event boundary from time:... till next blank line (or next time:...)?

0 Karma

ddrillic
Ultra Champion

I guess until next blank line would be great...

0 Karma

ddrillic
Ultra Champion

@somesoni2 - any thoughts about this one?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...