This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
XDAS for eDirectory
XDAS for eDirectory

Version management

Difference between version and

At line 1 added 54 lines
!!! Overview
[{$pagename}] is the replacement for [Novell Audit] and uses [XDAS].
__[eDirectory] moved to using the [Common Event Format] ([CEF]) when [Micro Focus] acquired [ArcSight]__
[eDirectory Common Event Format] has some additional insights.
As most [eDirectory] [Implementations] use [Universal Password] [Login] methods which is handled as [SASL] using [NMAS_LOGIN] implementing [XDAS For NMAS] is key for monitoring most login [XDAS Events]
!! [Logging] [{$pagename}]
! Grepping logs
In this [Example] using [EDirectory 9.0.3.1 (40005.13)] [XDAS Events] are sent to a [Logging] server and grepping the file for a single server.
%%information
grep 'eDirectory#' /logfiles/../messages |grep -v '"ExtendedOutcome" : "0"'
%%
Appears to get most of the "bad" events. (Although not all shown below)! "Login Failed" "-1642" [LDAP_INVALID_CREDENTIALS]
%%warning
Aug 8 01:05:36 nlinux0038/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.21.11:47790"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#216269013#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533704736},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-1642","Details" : "Login Failed"}}
%%
! "[Account Locked|Intruder Detection]" "-1668" [LDAP_INVALID_CREDENTIALS]
%%warning
Jul 30 13:52:00 nlinux0041/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.27.41:39026"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=MASTERK5,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#51642389#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1532973120},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1668","Details" : "Account locked"}}
%%
! "[Account Disabled|Administratively Disabled]" [LDAP_INVALID_CREDENTIALS]
%%warning
Aug 8 08:50:59 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.23.117:49798"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#220987400#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533732659},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1667","Details" : "Account Disabled"}}
%%
! "-779" = "[FAILED_LOGIN Counter Increment|Administratively Disabled]"
%%warning
Aug 8 10:16:40 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"}},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Assertions" : {"NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "NCP Server","SubTarget" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "eDirectory#0#","SubEvent" : "[DSE_LOGIN_EX]"},"Time" : {"Offset" : 1533737800},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-779"}}
%%
! "ExtendedOutcome" : "-222" => [PASSWORD_EXPIRED|ERROR_PASSWORD_EXPIRED] [LDAP_INVALID_CREDENTIALS]
%%warning
Aug 8 11:43:23 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.22.43:32964"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#222036133#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533743003},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-222"}}
%%
! "[Public|LDAP Proxy User]" "NullPassword" : "TRUE" [Anonymous bind] (ie. no password provided)
[Anonymous bind] is __NOT__ matched within the grep and is generally NOT considered a [Error] but it is often a critical [Monitoring] or [Auditing] [event]
%%warning
Aug 8 10:37:19 nlinux0038/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net"}},"Initiator" : {"Account" : {"Name" : "[Public]"},"Entity" : {"SysAddr" : "10.22.19.207:57422"},"Assertions" : {"NullPassword" : "TRUE","bindery login" : "FALSE"}},"Target" : {"Data" : {"Name" : "[Public|LDAP Proxy User]","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "[DSE_LOGIN_EX]"},"Time" : {"Offset" : 1533739039},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
%%
! "[ACCOUNT_UNLOCK]"
[ACCOUNT_UNLOCK] is __NOT__ matched within the grep and is generally NOT considered a [Error] but it is often a critical [Monitoring] or [Auditing] [event]
%%warning
Aug 8 07:47:49 nlinux0041/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"}},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"}},"Target" : {"Data" : {"Attribute Name" : "[Locked By Intruder|LockedByIntruder]","[Attribute Value]" : "True","ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","Syntax" : "7","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.10","Name" : "[ACCOUNT_UNLOCK]","CorrelationID" : "eDirectory#0#e91eabe8-4727-45e5-b0d4-e8ab1ee92747","SubEvent" : "[DSE_DELETE_VALUE]"},"Time" : {"Offset" : 1533728869},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
%%!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop