From ca5c8ac56f4acf421a328c7b5273788a2cfdb664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 14:19:57 +0100 Subject: [PATCH 1/6] Add sunds option and match connections in logs --- ldap-stats.pl | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/ldap-stats.pl b/ldap-stats.pl index d7b52a4..3e5637e 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -8,10 +8,13 @@ # Author: LDAP Tool Box project # Author: David Coutadeur # -# Current Version: 8 +# Current Version: 9 # # Revision History: # +# Version 9 +# - add option --sunds to parse Sun DS logs (#36) +# # Version 8 # - add option --log24 for old openldap log format (logs without qtime/etime) (#35) # - Display n longer requests in ldap-stats.pl (qtime/etime) (#31) @@ -172,7 +175,8 @@ sub usage { . " -s Split attributes found used in searches\n" . " -D Use RFC5424 date format\n" . " --log24 Use OpenLDAP 2.4 log format (no qtime/etime)\n" - . " --log26 Use OpenLDAP 2.6 log format\n"; + . " --log26 Use OpenLDAP 2.6 log format\n" + . " --sunds Use Sun DS log format\n"; return; } @@ -207,6 +211,9 @@ sub usage { # Use OpenLDAP 2.6 log format my $log26 = 0; +# Use SunDS log format +my $sunds = 0; + # Maximum number of greater qtimes to display my $max_qtimes = 10; @@ -230,6 +237,7 @@ sub usage { 'split|s' => \$splitattrs, 'log24' => \$log24, 'log26' => \$log26, + 'sunds' => \$sunds, ); ### print a nice usage message @@ -507,14 +515,21 @@ sub storeOp my ( $month, $day, $hour ) = getTimeComponents($line); ### Check for a new connection - if ( $line =~ -/conn=(\d+) [ ] fd=\d+ [ ] (?:ACCEPT|connection) [ ] from/mx - ) + if ( + ( $sunds and $line =~ + /conn=(\d+) op=[-]?\d+ msgId=[-]?\d+ - fd=\d+ slot=\d+ LDAP connection from/m + ) + or $line =~ + /conn=(\d+) [ ] fd=\d+ [ ] (?:ACCEPT|connection) [ ] from/mx + ) { my $conn = $1; my $host; - if ( $line =~ /IP=(\d+\.\d+\.\d+\.\d+):/mx ) { + if ( $sunds and $line =~ /from (\d+\.\d+\.\d+\.\d+)/m ) { + $host = $1; + } + elsif ( $line =~ /IP=(\d+\.\d+\.\d+\.\d+):/mx ) { $host = $1; } elsif ( $line =~ /PATH=(\S+)/mx ) { From 7aeca15bffc6588dd65d666c25e2c16d08b353e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 14:32:12 +0100 Subject: [PATCH 2/6] Parse BIND --- ldap-stats.pl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/ldap-stats.pl b/ldap-stats.pl index 3e5637e..7b66165 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -627,9 +627,13 @@ sub storeOp ### Check for anonymous binds } - elsif ( $line =~ -/conn=(\d+) [ ] op=(\d+) [ ] BIND [ ] dn="" [ ] method=128/mx - ) + elsif ( + ( + $sunds and $line =~ /conn=(\d+) op=(\d+) msgId=\d+ - BIND dn="" method=128/m + ) + or $line =~ + /conn=(\d+) [ ] op=(\d+) [ ] BIND [ ] dn="" [ ] method=128/mx + ) { my $conn = $1; storeOp("$1,$2","$line"); @@ -650,9 +654,11 @@ sub storeOp ### Check for non-anonymous binds } - elsif ( $line =~ -/conn=(\d+) [ ] op=(\d+) [ ] BIND [ ] dn="([^"]+)" [ ] mech=/mx - ) + elsif ( + ($sunds and $line =~ /conn=(\d+) op=(\d+) msgId=\d+ - BIND dn="([^"]+)" method=/m ) + or $line =~ + /conn=(\d+) [ ] op=(\d+) [ ] BIND [ ] dn="([^"]+)" [ ] mech=/mx + ) { my $conn = $1; storeOp("$1,$2","$line"); From 7eed47a766a067306a17660f6ec2963a6a4bdd02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 14:45:20 +0100 Subject: [PATCH 3/6] Parse SRCH --- ldap-stats.pl | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/ldap-stats.pl b/ldap-stats.pl index 7b66165..c14b107 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -680,9 +680,11 @@ sub storeOp ### Check the search base } - elsif ( $line =~ -/\bconn=(\d+) [ ] op=(\d+) [ ] SRCH [ ] base="([^"]*?)" [ ] .*filter="([^"]*?)"/mx - ) + elsif ( + ($sunds and $line =~ /conn=(\d+) op=(\d+) msgId=\d+ - SRCH base="([^"]*?)" scope=\d filter="([^"]*?)" attrs=(.+)/m ) + or $line =~ + /\bconn=(\d+) [ ] op=(\d+) [ ] SRCH [ ] base="([^"]*?)" [ ] .*filter="([^"]*?)"/mx + ) { my $base = lc $3; storeOp("$1,$2","$line"); @@ -697,6 +699,20 @@ sub storeOp $filters{$filter}++; } + if ($sunds) { + my $attrs = lc $5; + $attrs =~ s/^"//; + $attrs =~ s/"$//; + if ($splitattrs) { + for my $attr ( split q{ }, $attrs ) { + $searchattributes{$attr}++; + } + } + else { + $searchattributes{$attrs}++; + } + } + ### Check for search attributes } elsif ( $line =~ /\bconn=(\d+) [ ] op=(\d+) [ ] SRCH [ ] attr=(.+)/mx ) { From 79acccd7971e5af1ba0846d319b8aefd8173618b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 14:52:15 +0100 Subject: [PATCH 4/6] Parse UNBIND --- ldap-stats.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ldap-stats.pl b/ldap-stats.pl index c14b107..1f369e9 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -779,7 +779,8 @@ sub storeOp ### Check for unbinds } elsif ( - $line =~ /conn=(\d+) [ ] op=(\d+) [ ] UNBIND/mx ) + ( $sunds and $line =~ /conn=(\d+) op=(\d+) msgId=\d+ - UNBIND/m) + or $line =~ /conn=(\d+) [ ] op=(\d+) [ ] UNBIND/mx ) { my $conn = $1; storeOp("$1,$2","$line"); From b1c4893535cfa6b881df4c65860f96fac2732011 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 18:27:08 +0100 Subject: [PATCH 5/6] Check failed binds --- ldap-stats.pl | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/ldap-stats.pl b/ldap-stats.pl index 1f369e9..215b437 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -849,6 +849,33 @@ sub storeOp } } + ### Check the result of the last operation (log format SUNDS) + ### TODO: Add other err=X values from contrib/ldapc++/src/LDAPResult.h + } + elsif ( $sunds and $line =~ +/conn=(\d+) op=(\d+) msgId=\d+ - RESULT err=\d+ tag=\d+ nentries=\d+ etime=([\d.]+)/m + ) + { + my $conn = $1; + my $op = $2; + storeOp("$1,$2","$line"); + my $etime = $3; + $etime =~ tr/\.//d; # remove . => microsecond format + $etimes{"$conn,$op"} = $etime; + + if ( $line =~ /\berr=49\b/mx ) { + ### Increment the counters + if ( defined $conns{$conn} + && defined $hosts{ $conns{$conn} } ) + { + $hosts{ $conns{$conn} }{AUTHFAILURES}++; + $hours{$hour}{AUTHFAILURES}++; + $days{$day}{AUTHFAILURES}++; + $months{$month}{AUTHFAILURES}++; + $stats{TOTAL_AUTHFAILURES}++; + } + } + ### Check for entry changes: add, modify modrdn, delete } elsif ( $line =~ From a9d416653c776b8cda3ddfe38541bf2a3311e8e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Tue, 18 Feb 2025 18:33:54 +0100 Subject: [PATCH 6/6] Count searches and write operations --- ldap-stats.pl | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/ldap-stats.pl b/ldap-stats.pl index 215b437..1bb17db 100755 --- a/ldap-stats.pl +++ b/ldap-stats.pl @@ -686,6 +686,7 @@ sub storeOp /\bconn=(\d+) [ ] op=(\d+) [ ] SRCH [ ] base="([^"]*?)" [ ] .*filter="([^"]*?)"/mx ) { + my $conn = $1; my $base = lc $3; storeOp("$1,$2","$line"); my $filter = $4; @@ -711,6 +712,16 @@ sub storeOp else { $searchattributes{$attrs}++; } + ### Increment the counters + if ( defined $conns{$conn} + && defined $hosts{ $conns{$conn} } ) + { + $hosts{ $conns{$conn} }{SRCH}++; + $hours{$hour}{SRCH}++; + $days{$day}{SRCH}++; + $months{$month}{SRCH}++; + $stats{TOTAL_SRCH}++; + } } ### Check for search attributes @@ -878,7 +889,9 @@ sub storeOp ### Check for entry changes: add, modify modrdn, delete } - elsif ( $line =~ + elsif ( + ($sunds and $line =~ /conn=(\d+) op=(\d+) msgId=\d+ - (ADD|CMP|MOD|MODRDN|DEL)/m ) + or $line =~ /conn=(\d+) [ ] op=(\d+) [ ] (ADD|CMP|MOD|MODRDN|DEL) [ ] dn=/mx ) {