openldap/doc/man/man5/slapo-auditlog.5

.TH SLAPO-AUDITLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2005-2024 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo\-auditlog \- Audit Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.TP
ETCDIR/slapd.d
.SH DESCRIPTION
The Audit Logging overlay can be used to record all changes on a given
backend database to a specified log file. Changes are logged as standard
LDIF, with an additional comment header providing six fields of
information about the change. A second comment header is added at the end
of the operation to note the termination of the change.
.LP
For Add and Modify operations the identity comes from the modifiersName
associated with the operation. This is usually the same as the requestor's
identity, but may be set by other overlays to reflect other values.
.SH CONFIGURATION
Both slapd.conf and back-config style configuration are supported.
.TP
.B overlay auditlog
This directive loads the auditlog overlay.
.TP
.B auditlog <filename>
.TP
.B olcAuditlogFile: <filename>
Specify the fully qualified path for the log file.
.TP
.B auditlognonblocking {on|off}
.TP
.B olcAuditlogNonBlocking: {on|off}
Open <filename> in non-blocking mode.  Useful if <filename> is a named pipe
and slapd should not block if no reader is available.
.SH COMMENT FIELD INFORMATION
The first field is the operation type.
.br
The second field is the timestamp of the operation in seconds since epoch.
.br
The third field is the suffix of the database.
.br
The fourth field is the recorded modifiersName.
.br
The fifth field is the originating IP address and port.
.br
The sixth field is the connection number. A connection number of -1
indicates an internal slapd operation.
.SH EXAMPLE
The following LDIF could be used to add this overlay to
.B cn=config
(adjust to suit)
.LP
.RS
.nf
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /tmp/auditlog.ldif
.fi
.RE
.LP
.LP
.SH EXAMPLE CHANGELOG
.LP
.RS
.nf
# modify 1614223245 dc=example,dc=com cn=admin,dc=example,dc=com IP=[::1]:47270 conn=1002
dn: uid=joepublic,ou=people,dc=example,dc=com
changetype: modify
replace: displayName
displayName: Joe Public
-
replace: entryCSN
entryCSN: 20210225032045.045229Z#000000#001#000000
-
replace: modifiersName
modifiersName: cn=admin,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20210225032045Z
-
# end modify 1614223245

.fi
.RE
.LP
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.TP
ETCDIR/slapd.d
default slapd configuration directory
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd\-config(5).
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.TH SLAPO-AUDITLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"`
Happy New Year! 2024-03-26 15:45:07 -04:00			`.\" Copyright 2005-2024 The OpenLDAP Foundation All Rights Reserved.`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.\" Copying restrictions apply. See COPYRIGHT/LICENSE.`
			`.\" $OpenLDAP$`
			`.SH NAME`
ITS#6023 minor formatting tweaks 2009-06-02 20:43:44 -04:00			`slapo\-auditlog \- Audit Logging overlay to slapd`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.SH SYNOPSIS`
			`ETCDIR/slapd.conf`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`.TP`
			`ETCDIR/slapd.d`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.SH DESCRIPTION`
			`The Audit Logging overlay can be used to record all changes on a given`
			`backend database to a specified log file. Changes are logged as standard`
ITS#8454 - Add detailed information about auditlog format 2021-02-25 11:39:57 -05:00			`LDIF, with an additional comment header providing six fields of`
			`information about the change. A second comment header is added at the end`
			`of the operation to note the termination of the change.`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.LP`
			`For Add and Modify operations the identity comes from the modifiersName`
			`associated with the operation. This is usually the same as the requestor's`
			`identity, but may be set by other overlays to reflect other values.`
			`.SH CONFIGURATION`
slapo-auditlog: Add olcAuditlogNonBlocking to avoid blocking when logging to named pipes The default behaviour of fopen() when called on a named pipe which does not have any reader, is to block, until a reader opens the pipe. This blocks slapo-auditlog when it attempts to write output. Depending on how critical the audit log is, it may be preferable to discard audit log output and continue processing requests if there's no reader available. For clarity the call to fopen() is removed and replaced with open()/fdopen(), allowing us to specify O_* flags as opposed to using fopen() or open()/fdopen(). 0666 are the base permissions used by fopen() when files are created. 2025-07-01 07:57:08 -04:00			`Both slapd.conf and back-config style configuration are supported.`
			`.TP`
			`.B overlay auditlog`
			`This directive loads the auditlog overlay.`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.TP`
			`.B auditlog <filename>`
slapo-auditlog: Add olcAuditlogNonBlocking to avoid blocking when logging to named pipes The default behaviour of fopen() when called on a named pipe which does not have any reader, is to block, until a reader opens the pipe. This blocks slapo-auditlog when it attempts to write output. Depending on how critical the audit log is, it may be preferable to discard audit log output and continue processing requests if there's no reader available. For clarity the call to fopen() is removed and replaced with open()/fdopen(), allowing us to specify O_* flags as opposed to using fopen() or open()/fdopen(). 0666 are the base permissions used by fopen() when files are created. 2025-07-01 07:57:08 -04:00			`.TP`
			`.B olcAuditlogFile: <filename>`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`Specify the fully qualified path for the log file.`
			`.TP`
slapo-auditlog: Add olcAuditlogNonBlocking to avoid blocking when logging to named pipes The default behaviour of fopen() when called on a named pipe which does not have any reader, is to block, until a reader opens the pipe. This blocks slapo-auditlog when it attempts to write output. Depending on how critical the audit log is, it may be preferable to discard audit log output and continue processing requests if there's no reader available. For clarity the call to fopen() is removed and replaced with open()/fdopen(), allowing us to specify O_* flags as opposed to using fopen() or open()/fdopen(). 0666 are the base permissions used by fopen() when files are created. 2025-07-01 07:57:08 -04:00			`.B auditlognonblocking {on\|off}`
			`.TP`
			`.B olcAuditlogNonBlocking: {on\|off}`
			`Open <filename> in non-blocking mode. Useful if <filename> is a named pipe`
			`and slapd should not block if no reader is available.`
ITS#8454 - Add detailed information about auditlog format 2021-02-25 11:39:57 -05:00			`.SH COMMENT FIELD INFORMATION`
			`The first field is the operation type.`
			`.br`
			`The second field is the timestamp of the operation in seconds since epoch.`
			`.br`
			`The third field is the suffix of the database.`
			`.br`
			`The fourth field is the recorded modifiersName.`
			`.br`
			`The fifth field is the originating IP address and port.`
			`.br`
			`The sixth field is the connection number. A connection number of -1`
			`indicates an internal slapd operation.`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`.SH EXAMPLE`
			`The following LDIF could be used to add this overlay to`
slapo-auditlog: Add olcAuditlogNonBlocking to avoid blocking when logging to named pipes The default behaviour of fopen() when called on a named pipe which does not have any reader, is to block, until a reader opens the pipe. This blocks slapo-auditlog when it attempts to write output. Depending on how critical the audit log is, it may be preferable to discard audit log output and continue processing requests if there's no reader available. For clarity the call to fopen() is removed and replaced with open()/fdopen(), allowing us to specify O_* flags as opposed to using fopen() or open()/fdopen(). 0666 are the base permissions used by fopen() when files are created. 2025-07-01 07:57:08 -04:00			`.B cn=config`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`(adjust to suit)`
			`.LP`
			`.RS`
			`.nf`
Tweak examples to use back-mdb 2017-02-02 13:43:01 -05:00			`dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`changetype: add`
			`objectClass: olcOverlayConfig`
			`objectClass: olcAuditLogConfig`
			`olcOverlay: auditlog`
			`olcAuditlogFile: /tmp/auditlog.ldif`
			`.fi`
			`.RE`
			`.LP`
			`.LP`
ITS#8454 - Add detailed information about auditlog format 2021-02-25 11:39:57 -05:00			`.SH EXAMPLE CHANGELOG`
			`.LP`
			`.RS`
			`.nf`
			`# modify 1614223245 dc=example,dc=com cn=admin,dc=example,dc=com IP=[::1]:47270 conn=1002`
			`dn: uid=joepublic,ou=people,dc=example,dc=com`
			`changetype: modify`
			`replace: displayName`
			`displayName: Joe Public`
			`-`
			`replace: entryCSN`
			`entryCSN: 20210225032045.045229Z#000000#001#000000`
			`-`
			`replace: modifiersName`
			`modifiersName: cn=admin,dc=example,dc=com`
			`-`
			`replace: modifyTimestamp`
			`modifyTimestamp: 20210225032045Z`
			`-`
			`# end modify 1614223245`

			`.fi`
			`.RE`
			`.LP`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.SH FILES`
			`.TP`
			`ETCDIR/slapd.conf`
			`default slapd configuration file`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`.TP`
			`ETCDIR/slapd.d`
			`default slapd configuration directory`
ITS#3691 import auditlog overlay 2005-06-06 23:03:18 -04:00			`.SH SEE ALSO`
(ITS#5245) auditlog man page slapo-auditlog.5 2007-12-03 16:57:32 -05:00			`.BR slapd.conf (5),`
ITS#6023 minor formatting tweaks 2009-06-02 20:43:44 -04:00			`.BR slapd\-config(5).`