PingDirectory

Managing Admin Alert Access Logs

Admin Alert Access Logs are a specialized form of filtered log that automatically generates an administrative alert when criteria configured for the log publisher matches those messages in the access log.

About access log criteria

Configuring an Admin Alert Access Log requires you to configure the criteria for the access log messages.

Each criteria can be either a Simple or an Aggregate type. The Simple type uses the set of properties for the client connection, operation request, and the contents of any operation-specific requests or results. The Aggregate type provides criteria that contains Boolean combination of other operation-specific criteria objects.

For more information, see the Ping Identity Directory Server Configuration Reference.

The criteria can be one or more of the following:

Connection Criteria

Defines sets of criteria for grouping and describing client connections based on several properties, including:

  • Protocol

  • Client address

  • Connection security

  • Authentication state

Request Criteria

Defines sets of criteria for grouping and describing operation requests based on several properties, including:

  • Properties for the associated client connection

  • The type of operation

  • Targeted entry

  • Request controls

  • Target attributes

  • Other operation-specific terms

Result Criteria

Defines sets of criteria for grouping and describing operation results based on several properties, including:

  • The associated client connection and operation request

  • The result code

  • Response controls

  • Privileges missing or used

  • Other operation-specific terms

Search Entry Criteria

Defines sets of criteria for grouping and describing search result entries based on several properties, including:

  • The associated client connection and operation request

  • The entry location and contents

  • Included controls

Search Reference Criteria

Defines sets of criteria for grouping and describing search result references based on several properties, including:

  • The associated client connection and operation request

  • Reference contents

  • Included controls

Configuring an Admin Alert Access Log publisher

Before configuring an Admin Alert Access Log, you must establish an administrative alert handler in your system.

Steps

  1. To create a criteria object for the Admin Alert Access Log, use dsconfig.

    If you are using the dsconfig tool in interactive mode, the menu items for the criteria operations are located in the Standard objects menu.

    Example:

    For this example, we want to log only write operations that target user entries. The following command matches any of the specified operations whose target entry matches the filter (objectClass=person).

    $ bin/dsconfig create-request-criteria --type simple \
      --criteria-name “User Updates” \
      --set operation-type:add \
      --set operation-type:delete \
      --set operation-type:modify \
      --set operation-type:modify-dn \
      --set “any-included-target-entry-filter:(objectClass=person)”
  2. To create a log publisher of type admin-alert-access, use dsconfig.

    Example:

    $ bin/dsconfig create-log-publisher \
      --publisher-name ”User Updates Admin Alert Access Log” \
      --type admin-alert-access \
      --set “request-criteria:User Updates” \
      --set include-request-details-in-result-messages:true \
      --set enabled:true