Idea ID: 2800207

Add more LDAP fields to CEF logging

Status : New Idea
over 1 year ago

LDAP_CONNECTION: Server port number / Secure Connection / Start TLS
LDAP_BIND:  Anonymous / Unauthenticated / Authenticated BIND
LDAP_BIND: Response Time
LDAP_SEARCH: Search Event Data (AND filter AND attributes AND extended operation, not OR)
LDAP_SEARCH_RESPONSE: Number of entries in response / Response Time

 

 

Labels:

Other
Parents
  • LDAP_CONNECTION
    The destination port is not in the CEF output, I'm missing 389/636, the source IP and source port is there.
    Customer wants to disallow all unsecure BIND, so he needs to know if the client is using SSL/TLSv1.x, preferably the exact version.

    LDAP_BIND
    Unauthenticated is bind with valid "suser", but without a password. Rights are same as anonymous bind.

    LDAP_SEARCH
    flexString1 is missing all the important data like "search filter", "search attribute" and "control OID".
    Only one of these 3 are logged, it should be all of them.
    You cannot see "search filter" if "search attribute" is present.

    On the response time/count requests, the advantage is performance measurement.
    It is nice to see how long a LDAP_BIND or a LDAP_SEARCH request takes.
    For the count, it is nice if we can see how many entries are returned in LDAP_SEARCH_RESPONSE.

Comment
  • LDAP_CONNECTION
    The destination port is not in the CEF output, I'm missing 389/636, the source IP and source port is there.
    Customer wants to disallow all unsecure BIND, so he needs to know if the client is using SSL/TLSv1.x, preferably the exact version.

    LDAP_BIND
    Unauthenticated is bind with valid "suser", but without a password. Rights are same as anonymous bind.

    LDAP_SEARCH
    flexString1 is missing all the important data like "search filter", "search attribute" and "control OID".
    Only one of these 3 are logged, it should be all of them.
    You cannot see "search filter" if "search attribute" is present.

    On the response time/count requests, the advantage is performance measurement.
    It is nice to see how long a LDAP_BIND or a LDAP_SEARCH request takes.
    For the count, it is nice if we can see how many entries are returned in LDAP_SEARCH_RESPONSE.

Children
No Data