IBM Support

Enabling Directory Server Audit Logging from the Command Line

Question & Answer


Question

How can I log activity coming into the Directory Server server?

Answer

There are two methods provided for enabling Audit logging. You can either use the Web Administration tool or use the command line method. This technote will cover the command line method. Please review the additional resources section at the end of this technote for more information on how you can use the audit log.

1. Audit Log Location:

The location of your audit log depends on your configuration.

The default location is as follows:

  • On Unix: <instance home>/idsslapd-<instance name>/logs/audit.log
  • On Windows: <Drive:>\<instance home>\idsslapd-<instance name>\logs\audit.log

To check if you have a custom location defined you can issue the following search command:
    idsldapsearch -h <hostname> -p <port#> -D <adminDN> -w <password> -s base -b "cn=Audit, cn=Log Management, cn=Configuration" objectclass=* ibm-slapdLog

Using the Command Line:

Note that this set of instructions enables auditing of all operations. For your environment you may only want to capture binds and searches or Adds and Modifies. Adjust the values as needed for your environment. For more information on Audit Logging, please refer to the knowledge center.

2. Enable the Audit Log:

Create a text file called audit_enable.ldif contains the ldif below:
    # start of audit_enable.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    replace: ibm-audit
    ibm-audit: TRUE
    -
    replace: ibm-auditAdd
    ibm-auditAdd: TRUE
    -
    replace: ibm-auditBind
    ibm-auditBind: TRUE
    -
    replace: ibm-auditDelete
    ibm-auditDelete: TRUE
    -
    replace: ibm-auditExtOPEvent
    ibm-auditExtOPEvent: TRUE
    -
    replace: ibm-auditFailedOPonly
    ibm-auditFailedOPonly: FALSE
    -
    replace: ibm-auditModify
    ibm-auditModify: TRUE
    -
    replace: ibm-auditModifyDN
    ibm-auditModifyDN: TRUE
    -
    replace: ibm-auditPerformance
    ibm-auditPerformance: TRUE
    -
    replace: ibm-auditPTABindInfo
    ibm-auditPTABindInfo: TRUE
    -
    replace: ibm-auditSearch
    ibm-auditSearch: TRUE
    -
    replace: ibm-auditUnbind
    ibm-auditUnbind: TRUE
    -
    replace: ibm-auditExtOp
    ibm-auditExtOp: TRUE
    -
    replace: ibm-auditExtOPEvent
    ibm-auditExtOpEvent: TRUE
    -
    replace: ibm-auditCompare
    ibm-auditCompare: TRUE
    -
    replace: ibm-auditGroupsOnGroupControl
    ibm-auditGroupsOnGroupControl: TRUE
    -
    replace: ibm-auditAttributesOnGroupEvalOp
    ibm-auditAttributesOnGroupEvalOp: TRUE
    -
    replace: ibm-auditVersion
    ibm-auditVersion: 3
    # End of audit_enable.ldif

Run the Command:
    idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_enable.ldif

If you need to change the audit.log file location to a folder where you have sufficient space:
Note: First create a folder in the file system where you have sufficient space and then change the folder permissions so that the instance user is able to write to that folder.
Create a text file called audit_logpath_update.ldif contains the ldif below:
    # start of audit_logpath_update.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    replace:ibm-slapdLog
    ibm-slapdLog: <path_to_new_folder>/audit.log
    # end of audit_logpath_update.ldif

Run the Command:

idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_logpath_update.ldif



3. Disable the audit.log:

Create a text file called audit_disable.ldif contains the ldif below.
    # start of audit_disable.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    replace: ibm-audit
    ibm-audit: FALSE
    # end of audit_disable.ldif

Run the command:
    idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_disable.ldif

Additional Resources:
ISIM Performance Tuning Guide
Resolving Slow Queries Using the Directory Server Audit log
Collecting Data for Directory Server: Performance Issues

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 June 2018

UID

swg21405323