How to gather useful Information from eDirectory log

0 Likes

over 8 years ago

Environment

NetIQ eDirectory for Linux x86_64 v8.8 SP6 [DS]

NetIQ eDirectory for Linux x86_64 v8.8 SP7 [DS]

NetIQ eDirectory for Linux x86_64 v8.8 SP8 [DS]

Situation

How to use ndstrace to find out the number of successful and unsuccessful authentications.

As a good practice, an eDirectory administrator needs to know the amount of authentications and LDAP traffic that have been received in order to verify the health, response time and performance of the eDirectory boxes.

This article explains how to set up the ndstrace utility and how to gather the log file in order to analyze the information.

Prerequisites

Here is what you will need in order to follow the procedure:

Access to the eDirectory server (via ssh or physical access)

Administrative user (i.e. your account is in the sudoers group)

The eDirectory box has at least 500 MB of free space (the more debug information you need, the more disk space is required)

Resolution

Get access to the server (in my case I'm using ssh) and sudo to get root access,

ssh login

Make sure that the eDirectory path is correctly set (in case it is not) you will need to go through your eDirectory bin path (in my case /opt/novell/eDirectory/bin) and execute the ndspath script.

ndspath

Execute ndstrace command.

ndstrace execution

Depending on the flags that are enabled, you can see some activity in the ndstrace screen. In order to get a clean trace, first you need to turn off all messages by executing (within the ndstrace screen):
```
# set ndstrace = nodebug
#ndstrace
```
clean_ndstrace

Once you have a clean screen, it's necessary to enable the LDAP , AUTH and TIME flags.
```
#set ndstrace=  LDAP
#set ndstrace=  AUTH
#set ndstrace=  TIME
```
ndstrace_auth

ndstrace_ldap

ndstrace_time

Once these flags are enabled, you will see traffic in the screen . Enter "exit" in order to close the ndstrace utility.

ndstrace_exit

After closing the ndstrace utility, you are returned to the terminal prompt. At this point it's necessary to redirect the ndstrace output to the log file (in my case I'm redirecting to the /tmp directory), so enter:
```
 #ndstrace -l > /tmp/someFileName.log
```
ndstrace_send_to_log

By doing that you only have to decide how much time you need to gather information (in my case I left the log for an hour). When you decide that you have enough information to work, just cancel the execution control c

Once you have enough information you can get important data by running the following commands:Total amount of simple authentications:
```
# grep "authentication:simple" someFileName.log |wc -l
```
Occurrences per authenticated user
```
#grep "authentication:simple" someFileName.log | cut -d " " -f 5 | sed 's/name://g' | sort | uniq -c
```
Failed authentication due to an invalid password
```
# grep "LocalLoginRequest" someFileName.log | grep "failed authentication (-669)" | wc -l
```
By checking those numbers you can have a good idea of how your eDir box is performing.

For more information about the ndstrace flags, you can see the Novell eDirectory guide http://www.novell.com/documentation/edir873/?page=/documentation/edir873/edir873/data/a2n4mbo.html