Splunk Enterprise

How to correlate ldap logs?

woodentree
Communicator

Hi,

We have a standard openldap logs which looks like this :

Mar 17 07:01:46 abc123 slapd[1234]: conn=1001 op=1 RE SULT tag=97 err=49 text=
Mar 17 07:01:45 abc123 slapd[1234]: conn=1001 op=1 BIND dn="cn=my_username,ou=users,dc=my_dc,dc=fr" method=128
Mar 17 07:01:44 abc123 slapd[1234]: conn=1001 fd=12 ACCEPT from IP=10.111.22.123:46662 (IP=10.111.22.123:636)


We’d like to detect error code other than “success” in our ldap logs:

index=ldap sourcetype="openldap:access" err!=0

 

Unfortunately, we can't find a way correlate this event with other events in order to find the username and the ip address related to the same conn. Do you have an idea how we can do it?

 

Thanks for the help.

Regards.

Labels (1)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use the stats command to group events by a common field (conn?) then filter on err.

index=ldap sourcetype="openldap:access" 
| stats values(*) as * by conn
| where err!=0
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Use the stats command to group events by a common field (conn?) then filter on err.

index=ldap sourcetype="openldap:access" 
| stats values(*) as * by conn
| where err!=0
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

woodentree
Communicator

Thanks for the help, it’s almost perfect. We slightly modified your query :

 

index=ldap sourcetype="openldap:access"
| stats values(cn) as cn, values(IP) as IP, values(err) as err, count(err) as err_count by dest conn
| where err!=0

 


Unfortunately, the condition | where err!=0 doesn’t return a result if there are error codes other than 0. For example, it could be few failed authentication followed by a successful one like in this case:

1.png

We triedto use some other conditions like |search NOT err=0 but with no success. Do you have an idea how to make it work?


Thanks.

___________________

UPD

The solution is to use the condition below:

| where NOT err=0
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!