Add more LDAP fields to CEF logging

Idea ID 2800207

Add more LDAP fields to CEF logging

LDAP_CONNECTION: Server port number / Secure Connection / Start TLS
LDAP_BIND:  Anonymous / Unauthenticated / Authenticated BIND
LDAP_BIND: Response Time
LDAP_SEARCH: Search Event Data (AND filter AND attributes AND extended operation, not OR)
LDAP_SEARCH_RESPONSE: Number of entries in response / Response Time

 

 

Tags (3)
1 Comment
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

LDAP_CONNECTION
The destination port is not in the CEF output, I'm missing 389/636, the source IP and source port is there.
Customer wants to disallow all unsecure BIND, so he needs to know if the client is using SSL/TLSv1.x, preferably the exact version.

LDAP_BIND
Unauthenticated is bind with valid "suser", but without a password. Rights are same as anonymous bind.

LDAP_SEARCH
flexString1 is missing all the important data like "search filter", "search attribute" and "control OID".
Only one of these 3 are logged, it should be all of them.
You cannot see "search filter" if "search attribute" is present.

On the response time/count requests, the advantage is performance measurement.
It is nice to see how long a LDAP_BIND or a LDAP_SEARCH request takes.
For the count, it is nice if we can see how many entries are returned in LDAP_SEARCH_RESPONSE.

Top Voted Ideas: last 30 days
Most "Liked" Contributors
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.