!!! Overview
[{$pagename}] is the replacement for [Novell Audit] and uses [XDAS].

__[eDirectory] moved to using the [Common Event Format] ([CEF]) when [Micro Focus] acquired [ArcSight]__

[eDirectory Common Event Format] has some additional insights.

As most [eDirectory] [Implementations] use [Universal Password] [Login] methods which is handled as [SASL] using [NMAS_LOGIN] implementing [XDAS For NMAS] is key for monitoring most login [XDAS Events]

!! [Logging] [{$pagename}]
! Grepping logs
In this [Example] using [EDirectory 9.0.3.1 (40005.13)] [XDAS Events] are sent to a [Logging] server and grepping the file for a single server.
%%information
grep 'eDirectory#' /logfiles/../messages |grep -v '"ExtendedOutcome" : "0"'
%%
Appears to get most of the "bad" events. (Although not all shown below)! "Login Failed" "-1642" [LDAP_INVALID_CREDENTIALS]
%%warning
Aug  8 01:05:36 nlinux0038/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.21.11:47790"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#216269013#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533704736},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-1642","Details" : "Login Failed"}}
%%
 

! "[Account Locked|Intruder Detection]" "-1668" [LDAP_INVALID_CREDENTIALS]
%%warning
Jul 30 13:52:00 nlinux0041/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.27.41:39026"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=MASTERK5,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#51642389#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1532973120},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1668","Details" : "Account locked"}}
%%

! "[Account Disabled|Administratively Disabled]" [LDAP_INVALID_CREDENTIALS]
%%warning
Aug  8 08:50:59 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.23.117:49798"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#220987400#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533732659},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1667","Details" : "Account Disabled"}}
%%

! "-779" = "[FAILED_LOGIN Counter Increment|Administratively Disabled]"
%%warning
Aug  8 10:16:40 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"}},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Assertions" : {"NullPassword" : "FALSE","bindery login" : "FALSE"}},"Target" : {"Data" : {"ClassName" : "NCP Server","SubTarget" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "eDirectory#0#","SubEvent" : "[DSE_LOGIN_EX]"},"Time" : {"Offset" : 1533737800},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-779"}}
%%

! "ExtendedOutcome" : "-222" => [PASSWORD_EXPIRED|ERROR_PASSWORD_EXPIRED] [LDAP_INVALID_CREDENTIALS]
%%warning
Aug  8 11:43:23 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"}},"Initiator" : {"Account" : {"Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.22.43:32964"}},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "nmas#222036133#","SubEvent" : "[DSE_NMAS_LOG_FINISH_LOGIN_STATUS]"},"Time" : {"Offset" : 1533743003},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-222"}}
%%

! "[Public|LDAP Proxy User]" "NullPassword" : "TRUE" [Anonymous bind] (ie. no password provided)
[Anonymous bind] is __NOT__ matched within the grep and is generally NOT considered a [Error] but it is often a critical [Monitoring] or [Auditing] [event]
%%warning
Aug  8 10:37:19 nlinux0038/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net"}},"Initiator" : {"Account" : {"Name" : "[Public]"},"Entity" : {"SysAddr" : "10.22.19.207:57422"},"Assertions" : {"NullPassword" : "TRUE","bindery login" : "FALSE"}},"Target" : {"Data" : {"Name" : "[Public|LDAP Proxy User]","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "[CREATE_SESSION]","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "[DSE_LOGIN_EX]"},"Time" : {"Offset" : 1533739039},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
%%

! "[ACCOUNT_UNLOCK]"
[ACCOUNT_UNLOCK] is __NOT__ matched within the grep and is generally NOT considered a [Error] but it is often a critical [Monitoring] or [Auditing] [event]
%%warning
Aug  8 07:47:49 nlinux0041/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"}},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"}},"Target" : {"Data" : {"Attribute Name" : "[Locked By Intruder|LockedByIntruder]","[Attribute Value]" : "True","ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","Syntax" : "7","Version" : "2"}},"Action" : {"Event" : {"Id" : "0.0.0.10","Name" : "[ACCOUNT_UNLOCK]","CorrelationID" : "eDirectory#0#e91eabe8-4727-45e5-b0d4-e8ab1ee92747","SubEvent" : "[DSE_DELETE_VALUE]"},"Time" : {"Offset" : 1533728869},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
%%!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]