Re: Advice sought regarding logging changes made to OpenLDAP server

[Howard Chu <hyc@symas.com>]

Philip Colmer wrote:
> I've been asked to log & track changes made to our LDAP system. My
> initial thought was to use the auditlog overlay as it outputs to a
> text file, thus making it relatively straightforward to parse, but a
> 2009 discussion
> (http://www.openldap.org/lists/openldap-technical/200911/msg00092.html)
> suggested a potential problem, namely no logging of time and name for
> deletes.
>
> Replies to that discussion suggested the use of accesslog instead.
> However, that logs to a database which isn't really what I'm after. A
> 2011 discussion
> (http://www.openldap.org/lists/openldap-technical/201104/msg00084.html)
> sought answers similar to the one I'm looking for now, namely is there
> a way of getting changes logged into a text file?

Run ldapsearch against the log database.

Or skip the flat text file altogether and just use the ldapsearch API - then 
you don't need to do any text-based parsing at all, the entry is already in an 
in-memory structure.

> One of the replies (from Quanah) suggested ldap-stats.pl but I'm not
> looking for stats - I'm looking for the actual changes being made.
>
> Since both of those discussions are quite old, I was wondering if
> there was any up-to-date advice regarding best practice for the sort
> of information I'm trying to capture?
>
> Thanks.
>
> Philip


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/