I've currently got stats logging turned on while I try to troubleshoot an application and I've noticed some rather strange searches going on. Strange in that the searches are for very high uidNumber values or for uid values that don't exist ... suggesting that someone might be trying to grab data from our server.
What I'm struggling with is trying to figure out from the logs (a) the IP address that these queries are coming from and/or (b) the authenticated account being used (even if anonymous).
For example, if I have a log line like this:
conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2 deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
is there anything I can do with the conn or op values to connect that particular search query to an earlier logged BIND log entry?
Or is there a different/better way for me to try and get the information I'm after?
Thanks.
Philip