XDAS for eDirectory

Overview#

XDAS for eDirectory is the replacement for Novell Audit and uses XDAS.

eDirectory moved to using the Common Event Format (CEF) when Micro Focus acquired ArcSight

eDirectory Common Event Format has some additional insights.

As most eDirectory Implementations use Universal Password Login methods which is handled as SASL using NMAS_LOGIN implementing XDAS For NMAS is key for monitoring most login XDAS Events

Logging XDAS for eDirectory#

Grepping logs#

In this Example using EDirectory 9.0.3.1 (40005.13) XDAS Events are sent to a Logging server and grepping the file for a single server.
grep 'eDirectory#' /logfiles/../messages |grep -v '"ExtendedOutcome" : "0"'
Appears to get most of the "bad" events. (Although not all shown below)! "Login Failed" "-1642" LDAP_INVALID_CREDENTIALS
Aug 8 01:05:36 nlinux0038/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.21.11:47790"},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#216269013#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533704736},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-1642","Details" : "Login Failed"}

"Account Locked" "-1668" LDAP_INVALID_CREDENTIALS#

Jul 30 13:52:00 nlinux0041/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.27.41:39026"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=MASTERK5,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#51642389#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1532973120},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1668","Details" : "Account locked"}

"Account Disabled" LDAP_INVALID_CREDENTIALS#

Aug 8 08:50:59 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.23.117:49798"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#220987400#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533732659},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1667","Details" : "Account Disabled"}

"-779" = "FAILED_LOGIN Counter Increment"#

Aug 8 10:16:40 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Assertions" : {"NullPassword" : "FALSE","bindery login" : "FALSE"},"Target" : {"Data" : {"ClassName" : "NCP Server","SubTarget" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_LOGIN_EX"},"Time" : {"Offset" : 1533737800},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-779"}

"ExtendedOutcome" : "-222" => PASSWORD_EXPIRED LDAP_INVALID_CREDENTIALS#

Aug 8 11:43:23 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.22.43:32964"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#222036133#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533743003},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-222"}

"Public" "NullPassword" : "TRUE" Anonymous bind (ie. no password provided)#

Anonymous bind is NOT matched within the grep and is generally NOT considered a Error but it is often a critical Monitoring or Auditing event
Aug 8 10:37:19 nlinux0038/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net"},"Initiator" : {"Account" : {"Name" : "Public"},"Entity" : {"SysAddr" : "10.22.19.207:57422"},"Assertions" : {"NullPassword" : "TRUE","bindery login" : "FALSE"},"Target" : {"Data" : {"Name" : "Public","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_LOGIN_EX"},"Time" : {"Offset" : 1533739039},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}

"ACCOUNT_UNLOCK"#

ACCOUNT_UNLOCK is NOT matched within the grep and is generally NOT considered a Error but it is often a critical Monitoring or Auditing event
Aug 8 07:47:49 nlinux0041/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Target" : {"Data" : {"Attribute Name" : "Locked By Intruder","Attribute Value" : "True","ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","Syntax" : "7","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.0.10","Name" : "ACCOUNT_UNLOCK","CorrelationID" : "eDirectory#0#e91eabe8-4727-45e5-b0d4-e8ab1ee92747","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1533728869},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}
!! More Information There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!