PingDirectory

Managing the File-Based Audit Log Publishers

The PingDirectory server provides an audit log, a specialized version of the access log, for troubleshooting problems that might occur during processing.

The log records all changes to the data in LDIF format so that administrators can quickly diagnose the changes an application made to the data or replay the changes to another server for testing purposes.

The audit log does not record authentication attempts but can be used in conjunction with the access log to troubleshoot security-related issues. Because the audit log adversely impacts the server’s write performance, it is disabled by default.

Audit log format

The audit log uses standard LDIF format so that administrators can analyze what changes occurred to the data. The audit log begins logging when enabled and should be used to debug any issues that might have occurred.

Common properties include:

Timestamp

Displays the date and time of the operation. Format: DD/Month/ YYYY:HH:MM:SS <offset from UTC time>.

Connection ID

Numeric identifier, starting incrementally with 0, that identifies the client connection that is requesting the operation.

Operation ID

Numeric identifier, starting incrementally with 0, that identifies the operation.

Modifiers Name

Displays the distinguished name (DN) of the user who made the change.

Update Time

Records the modifyTimestamp operational attribute.

Audit log example

The following example shows output from the audit log in the <server-root>/logs/audit. The first entry shows when the audit log was enabled. The second entry show changes made to a user entry.

# 05/Jun/2011:10:29:04 -0500; conn=0; op=55
dn: cn=File-Based Audit Logger,cn=Loggers,cn=config
changetype: modify
replace: ds-cfg-enabled
ds-cfg-enabled: true
-
replace: modifiersName
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20131010020345.546Z

# 05/Jun/2011:10:31:20 -0500; conn=2; op=1
dn: uid=user.996,ou=People,dc=example,dc=com
changetype: modify
replace: pager
pager: +1 115 426 4748
-
replace: homePhone
homePhone: +1 407 383 4949
-
replace: modifiersName
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20131010020345.546Z

Enabling the File-Based Audit Log Publisher

About this task

Enable the File-Based Audit Log Publisher using the dsconfig tool. The audit log impacts the PingDirectory server’s write performance. Enable it only when troubleshooting.

Steps

  • To enable the File-Based Audit Log Publisher, run dsconfig.

    Example:

    In this example, the instance name and startup ID are also enabled in the audit log.

    $ bin/dsconfig set-log-publisher-prop \
      --publisher-name "File-Based Audit Logger" \
      --set enabled:true \
      --set include-instance-name:true \
      --set include-startup-id:true

Obscuring values in the audit log

About this task

Each value of an obscured attribute is replaced in the audit log with OBSCURED VALUE .

Steps

  • To obscure the values of specific attributes in the audit log, use the obscure-attribute property.

    By default, attributes are not obscured because the values of password attributes appear in hashed form rather than in cleartext.