--- title: Viewing the LDAP changelog, change sequence numbers, and monitoring information description: View changelog entries using ldapsearch. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_view_ldap_changelog_ldapsearch canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_view_ldap_changelog_ldapsearch.html revdate: September 13, 2023 page_aliases: ["pd_ds_view_ldap_changelog_ldapsearch_steps.adoc", "pd_ds_view_ldap_change_seq_numbers.adoc", "pd_ds_view_ldap_changelog_monit_info.adoc"] section_ids: viewing-the-ldap-changelog-using-ldapsearch: Viewing the LDAP changelog using ldapsearch steps: Steps example: Example: example-2: Example: result: Result: viewing-the-ldap-change-sequence-numbers: Viewing the LDAP change sequence numbers about-this-task: About this task steps-2: Steps example-3: Example: result-2: Result: viewing-ldap-changelog-monitoring-information: Viewing LDAP changelog monitoring information about-this-task-2: About this task steps-3: Steps example-4: Example: result-3: Result: --- # Viewing the LDAP changelog, change sequence numbers, and monitoring information View changelog entries using `ldapsearch`. All records in the changelog are immediate children of the `cn=changelog` entry and are named with the `changeNumber` attribute. Changes are represented in the form documented in the `draft-good-ldap-changelog` specification with the `targetDN` attribute providing the distinguished name (DN) of the updated entry, the `changeType` attribute providing the type of operation (`add`, `delete`, `modify`, or `modDN`), and the changes attribute providing a base64-encoded representation of the attributes included in the entry (for `add` operations) or the changes made (for `modify` operations) in LDIF form. View the changes by decoding the encoded value using the `base64` `decode` utility. The [UnboundID LDAP SDK for Java](https://github.com/pingidentity/ldapsdk/releases) also provides support for parsing changelog entries. ## Viewing the LDAP changelog using ldapsearch ### Steps 1. By default, only users with the `bypass-acl` or `bypass-read-acl` privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following: #### Example: ```shell $ bin/dsconfig set-access-control-handler-prop --add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0; acl "Access to the changelog backend for the admin account"; allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)' ``` 2. Use `ldapsearch` to view the changelog. #### Example: ```shell $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog --dontWrap "(objectclass=*)" ``` #### Result: ``` dn: cn=changelog objectClass: top objectClass: untypedObject cn: changelog dn: changeNumber=1,cn=changelog objectClass: changeLogEntry objectClass: top targetDN: uid=user.0,ou=People,dc=example,dc=com changeType: modify changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB 0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo= changenumber: 1 dn: changeNumber=2,cn=changelog objectClass: changeLogEntry objectClass: top targetDN: dc=example,dc=com changeType: modify changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q zYwNDA5MzAwMDAwMDAyCgo= changenumber: 2 ``` ## Viewing the LDAP change sequence numbers ### About this task The changelog displays the server state information, which is important for failover between servers during synchronization operations. The server state information is exchanged between the servers in the network (LDAP servers and replication servers) as part of the protocol start message. It also helps the client application determine which server is most up-to-date. ### Steps * Make sure the `uid=admin` account has the necessary access rights to the `cn=changelog` backend. #### Example: ```shell $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog --dontWrap "(objectclass=*)" "+" ``` #### Result: ``` dn: cn=changelog dn: changeNumber=1,cn=changelog entry-size-bytes: 182 targetUniqueId: 68147342-1f61-3465-8489-3de58c532130 changeTime: 20111023002624Z lastReplicaCSN: 0000011D27184D9E303000000001 replicationCSN: 0000011D27184D9E303000000001 replicaIdentifier: 12336 dn: changeNumber=2,cn=changelog entry-size-bytes: 263 targetUniqueId: 4e9b7847-edcb-3791-b11b-7505f4a55af4 changeTime: 20111023002624Z lastReplicaCSN: 0000011D27184F2E303000000002 replicationCSN: 0000011D27184F2E303000000002 replicaIdentifier: 12336 ``` ## Viewing LDAP changelog monitoring information ### About this task The changelog contains a monitor entry accessed over LDAP, JConsole, the admin console, or SNMP. Make sure the account you're using to request the monitor information has the necessary access rights to the data under `cn=monitor`. You might need to add a global ACI to grant the appropriate users permission to access monitor data. ### Steps * Use `ldapsearch` to view the changelog monitor entry. #### Example: ```shell $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog,cn=monitor "(objectclass=*)" ``` #### Result: ``` dn: cn=changelog,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: extensibleObject cn: changelog changelog: cn=changelog firstchangenumber: 1 lastchangenumber: 8 lastpurgedchangenumber: 0 firstReplicaChange: 16225:0000011D0205237F3F6100000001:5 firstReplicaChange: 16531:0000011CFF334C60409300000002:1 lastReplicaChange: 16225:0000011D02054E8B3F6100000002:7 lastReplicaChange: 16531:0000011CFF334C60409300000002:1 oldest-change-time: 20081015063104Z ...(more data)... ```