Solved: Monitor failed ldap login attemps

tvernick · ‎05-11-2015

We have 389 Directory Server logs and I was wondering if there is a way to monitor for failed authentication attempts? The error code for a failed attempt is err=49 in the log, but the actual username for the failed attempt is on another line. I can't find a good way to search for the uid's with failed logins.

[12/May/2015:15:59:38 +0000] conn=43278605 op=0 BIND dn="uid=todd,ou=people,dc=example,dc=net" method=128 version=3
[12/May/2015:15:59:38 +0000] conn=43278605 op=0 RESULT err=49 tag=97 nentries=0 etime=0

I want to be able to see that "uid=todd" when there is an instance of err=49.

martin_mueller · ‎05-12-2015

The most easy way would be a plain transaction:

index=foo sourcetype=bar BIND OR RESULT | transaction conn | search err=49

That'll merge all events for a conn value into one great transaction and filter based on the overall error.

View solution in original post

martin_mueller · ‎05-12-2015

The most easy way would be a plain transaction:

index=foo sourcetype=bar BIND OR RESULT | transaction conn | search err=49

That'll merge all events for a conn value into one great transaction and filter based on the overall error.

tvernick · ‎05-12-2015

[12/May/2015:15:59:38 +0000] conn=43278605 op=0 BIND dn="uid=todd,ou=people,dc=example,dc=net" method=128 version=3
[12/May/2015:15:59:38 +0000] conn=43278605 op=0 RESULT err=49 tag=97 nentries=0 etime=0

I want to be able to see that "uid=todd" when there is an instance of err=49.

MuS · ‎05-11-2015

Like @martin_mueller wrote, post some samples. I did such a thing for an Oracle OVD, it's no big deal 😉

martin_mueller · ‎05-11-2015

Do post some sample events.

Monitor failed ldap login attemps

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk