jspωiki
XDAS for eDirectory

Overview#

XDAS for eDirectory is the replacement for Novell Audit and uses XDAS.

As most eDirectory Implementations use Universal Password Login methods which is handled as SASL using NMAS_LOGIN implementing XDAS For NMAS is key for monitoring most login XDAS Events

Logging XDAS for eDirectory#

Grepping logs#

In this Example using EDirectory 9.0.3.1 (40005.13) XDAS Events are sent to a Logging server and grepping the file for a single server.
grep 'eDirectory#' /logfiles/../messages |grep -v '"ExtendedOutcome" : "0"'
Appears to get most of the "bad" events. (Although not all shown below)

"Login Failed" "-1642" LDAP_INVALID_CREDENTIALS#

Aug 8 01:05:36 nlinux0038/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.21.11:47790"},"Target" : {"Data" : {"ClassName" : "User","Name" : "CN=admin,OU=admins,OU=esc,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#216269013#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533704736},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-1642","Details" : "Login Failed"}

"Account Locked" "-1668" LDAP_INVALID_CREDENTIALS#

Jul 30 13:52:00 nlinux0041/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.27.41:39026"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=MASTERK5,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#51642389#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1532973120},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1668","Details" : "Account locked"}

"Account Disabled" LDAP_INVALID_CREDENTIALS#

Aug 8 08:50:59 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "0"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.23.117:49798"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#220987400#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533732659},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-1667","Details" : "Account Disabled"}

"-779" = "FAILED_LOGIN Counter Increment"#

Aug 8 10:16:40 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Assertions" : {"NullPassword" : "FALSE","bindery login" : "FALSE"},"Target" : {"Data" : {"ClassName" : "NCP Server","SubTarget" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_LOGIN_EX"},"Time" : {"Offset" : 1533737800},"Log" : {"Severity" : 7},"Outcome" : "1","ExtendedOutcome" : "-779"}

"ExtendedOutcome" : "-222" => PASSWORD_EXPIRED LDAP_INVALID_CREDENTIALS#

Aug 8 11:43:23 nlinux0039/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#NMAS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Id" : "nds:7"},"Entity" : {"SysAddr" : "10.92.181.48","SysName" : "nlinux0052.nwie.net","SvcName" : "nmas"},"Initiator" : {"Account" : {"Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.22.22.43:32964"},"Target" : {"Data" : {"ClassName" : "User","Name" : "uniqueID=screen01,OU=Int,OU=people,dc=example,dc=pilot","SubTarget" : "CN=Nlinux0052INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Account" : {"Domain" : "PILOT"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "nmas#222036133#","SubEvent" : "DSE_NMAS_LOG_FINISH_LOGIN_STATUS"},"Time" : {"Offset" : 1533743003},"Log" : {"Severity" : 7},"Outcome" : "2","ExtendedOutcome" : "-222"}

"Public" "NullPassword" : "TRUE" Anonymous bind (ie. no password provided)#

Anonymous bind is NOT matched within the grep and is generally NOT considered a Error but it is often a critical Monitoring or Auditing event
Aug 8 10:37:19 nlinux0038/nlinux0053 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.53","SysName" : "nlinux0053.nwie.net"},"Initiator" : {"Account" : {"Name" : "Public"},"Entity" : {"SysAddr" : "10.22.19.207:57422"},"Assertions" : {"NullPassword" : "TRUE","bindery login" : "FALSE"},"Target" : {"Data" : {"Name" : "Public","SubTarget" : "CN=nlinux0053INT,OU=servers,OU=esc,dc=example,dc=pilot","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" : "CREATE_SESSION","CorrelationID" : "eDirectory#4294967295#","SubEvent" : "DSE_LOGIN_EX"},"Time" : {"Offset" : 1533739039},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}

"ACCOUNT_UNLOCK"#

ACCOUNT_UNLOCK is NOT matched within the grep and is generally NOT considered a Error but it is often a critical Monitoring or Auditing event
Aug 8 07:47:49 nlinux0041/nlinux0052 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47","SysName" : "nlinux0052.nwie.net"},"Initiator" : {"Account" : {"Domain" : "PILOT","Name" : "CN=nlinux0052IDV,OU=servers,OU=esc,dc=example,dc=pilot"},"Entity" : {"SysAddr" : "10.92.181.47:0"},"Target" : {"Data" : {"Attribute Name" : "Locked By Intruder","Attribute Value" : "True","ClassName" : "User","Name" : "uniqueID=jwilleke,OU=Int,OU=people,dc=example,dc=pilot","Syntax" : "7","Version" : "2"},"Action" : {"Event" : {"Id" : "0.0.0.10","Name" : "ACCOUNT_UNLOCK","CorrelationID" : "eDirectory#0#e91eabe8-4727-45e5-b0d4-e8ab1ee92747","SubEvent" : "DSE_DELETE_VALUE"},"Time" : {"Offset" : 1533728869},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}

More Information#

There might be more information for this subject on one of the following: