IBM Support

Enabling Directory Server Audit Logging from the Command Line

Technote (FAQ)


How can I log activity coming into the Directory Server server?


There are two methods provided for enabling Audit logging. You can either use the Web Administration tool or use the command line method. This technote will cover the command line method. Please review the additional resources section at the end of this technote for more information on how you can use the audit log.
1. Audit Log Location:

The location of your audit log depends on your configuration.

The default location is as follows:

  • On Unix: <instance home>/idsslapd-<instance name>/logs/audit.log
  • On Windows: <Drive:>\<instance home>\idsslapd-<instance name>\logs\audit.log

To check if you have a custom location defined you can issue the following search command:
    idsldapsearch -h <hostname> -p <port#> -D <adminDN> -w <password> -s base -b "cn=Audit, cn=Log Management, cn=Configuration" objectclass=* ibm-slapdLog

Using the Command Line:

Note that this set of instructions enables auditing of all operations. For your environment you may only want to capture binds and searches or Adds and Modifies. Adjust the values as needed for your environment. For more information on Audit Logging, please refer to the knowledge center.

2. Enable the Audit Log:

Create a text file called audit_enable.ldif contains the ldif below:
    # start of audit_enable.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    replace: ibm-audit
    ibm-audit: TRUE
    replace: ibm-auditAdd
    ibm-auditAdd: TRUE
    replace: ibm-auditBind
    ibm-auditBind: TRUE
    replace: ibm-auditDelete
    ibm-auditDelete: TRUE
    replace: ibm-auditExtOPEvent
    ibm-auditExtOPEvent: TRUE
    replace: ibm-auditFailedOPonly
    ibm-auditFailedOPonly: FALSE
    replace: ibm-auditModify
    ibm-auditModify: TRUE
    replace: ibm-auditModifyDN
    ibm-auditModifyDN: TRUE
    replace: ibm-auditPerformance
    ibm-auditPerformance: TRUE
    replace: ibm-auditPTABindInfo
    ibm-auditPTABindInfo: TRUE
    replace: ibm-auditSearch
    ibm-auditSearch: TRUE
    replace: ibm-auditUnbind
    ibm-auditUnbind: TRUE
    replace: ibm-auditExtOp
    ibm-auditExtOp: TRUE
    replace: ibm-auditExtOPEvent
    ibm-auditExtOpEvent: TRUE
    replace: ibm-auditCompare
    ibm-auditCompare: TRUE
    replace: ibm-auditGroupsOnGroupControl
    ibm-auditGroupsOnGroupControl: TRUE
    replace: ibm-auditAttributesOnGroupEvalOp
    ibm-auditAttributesOnGroupEvalOp: TRUE
    replace: ibm-auditVersion
    ibm-auditVersion: 3
    # End of audit_enable.ldif

Run the Command:
    idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_enable.ldif

If you need to change the audit.log file location to a folder where you have sufficient space:
Note: First create a folder in the file system where you have sufficient space and then change the folder permissions so that the instance user is able to write to that folder.
Create a text file called audit_logpath_update.ldif contains the ldif below:
    # start of audit_logpath_update.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    ibm-slapdLog: <path_to_new_folder>/audit.log
    # end of audit_logpath_update.ldif

Run the Command:

idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_logpath_update.ldif

3. Disable the audit.log:

Create a text file called audit_disable.ldif contains the ldif below.
    # start of audit_disable.ldif
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    replace: ibm-audit
    ibm-audit: FALSE
    # end of audit_disable.ldif

Run the command:
    idsldapmodify -h <hostname> -p <port#> -D <adminDN> -w <adminPW> -i audit_disable.ldif

Additional Resources:
ISIM Performance Tuning Guide
Resolving Slow Queries Using the Directory Server Audit log
Collecting Data for Directory Server: Performance Issues

Document information

More support for: IBM Security Directory Server

Software version: 6.1, 6.2, 6.3, 6.3.1, 6.4

Operating system(s): Platform Independent

Reference #: 1405323

Modified date: 20 April 2010