I've currently got stats logging turned on while I try to troubleshoot an application and I've noticed some rather strange searches going on. Strange in that the searches are for very high uidNumber values or for uid values that don't exist ... suggesting that someone might be trying to grab data from our server.
What I'm struggling with is trying to figure out from the logs (a) the IP address that these queries are coming from and/or (b) the authenticated account being used (even if anonymous).
For example, if I have a log line like this:
conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2 deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
is there anything I can do with the conn or op values to connect that particular search query to an earlier logged BIND log entry?
Or is there a different/better way for me to try and get the information I'm after?
Thanks.
Philip
Philip Colmer philip.colmer@linaro.org schrieb am 01.04.2016 um 12:45 in
Nachricht CAKTSSTgD6zqMBmCckfWEcZFCK1KbtixkWkq-aLRB67pY8oe1rw@mail.gmail.com:
I've currently got stats logging turned on while I try to troubleshoot an application and I've noticed some rather strange searches going on. Strange in that the searches are for very high uidNumber values or for uid values that don't exist ... suggesting that someone might be trying to grab data from our server.
What I'm struggling with is trying to figure out from the logs (a) the IP address that these queries are coming from and/or (b) the authenticated account being used (even if anonymous).
For example, if I have a log line like this:
conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2 deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)) ))"
is there anything I can do with the conn or op values to connect that particular search query to an earlier logged BIND log entry?
I guess "conn=1928683" is the primary key for a connection on this run of slapd ;-)
Or is there a different/better way for me to try and get the information I'm after?
Thanks.
Philip
openldap-technical@openldap.org
-
Philip Colmer -
Ulrich Windl