LDAP_CONNECTION: Server port number / Secure Connection / Start TLS
LDAP_BIND: Anonymous / Unauthenticated / Authenticated BIND
LDAP_BIND: Response Time
LDAP_SEARCH: Search Event Data (AND filter AND attributes AND extended operation, not OR)
LDAP_SEARCH_RESPONSE: Number of entries in response / Response Time
The destination port is not in the CEF output, I'm missing 389/636, the source IP and source port is there.
Customer wants to disallow all unsecure BIND, so he needs to know if the client is using SSL/TLSv1.x, preferably the exact version.
Unauthenticated is bind with valid "suser", but without a password. Rights are same as anonymous bind.
flexString1 is missing all the important data like "search filter", "search attribute" and "control OID".
Only one of these 3 are logged, it should be all of them.
You cannot see "search filter" if "search attribute" is present.
On the response time/count requests, the advantage is performance measurement.
It is nice to see how long a LDAP_BIND or a LDAP_SEARCH request takes.
For the count, it is nice if we can see how many entries are returned in LDAP_SEARCH_RESPONSE.