>>> Philip Colmer <[email protected]> schrieb am 01.04.2016 um 12:45 in Nachricht <caktsstgd6zqmbmcckfweczfck1kbtixkwkq-alrb67py8oe...@mail.gmail.com>: > I've currently got stats logging turned on while I try to troubleshoot > an application and I've noticed some rather strange searches going on. > Strange in that the searches are for very high uidNumber values or for > uid values that don't exist ... suggesting that someone might be > trying to grab data from our server. > > What I'm struggling with is trying to figure out from the logs (a) the > IP address that these queries are coming from and/or (b) the > authenticated account being used (even if anonymous). > > For example, if I have a log line like this: > > conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2 > deref=0 > filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)) > ))" > > is there anything I can do with the conn or op values to connect that > particular search query to an earlier logged BIND log entry?
I guess "conn=1928683" is the primary key for a connection on this run of slapd ;-) > > Or is there a different/better way for me to try and get the > information I'm after? > > Thanks. > > Philip
