Hi all, just curious if anyone can give me a head-start. I'd like to use Splunk to parse Sun's Directory Server access and error logs. I was hoping there would be a pretrained sourcetype or app but haven't found anything.
I can get some very useful info out by default, but I'm also interested in tracking heaviest clients by connections, ops per connection and total elapsed time for ops (etime). When the result includes notes="U", I'd like to know the search's base, filter and client ip.
The access log entries for a single connection looks like this:
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=-1 msgId=-1 - fd=49 slot=49 LDAP connection from 10.0.0.2 to 10.0.0.1
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=0 msgId=1 - SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=0 msgId=1 - RESULT err=0 tag=101 nentries=1 etime=0
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=1 msgId=2 - BIND dn="" method=128 version=2
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=1 msgId=2 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=2 msgId=3 - SRCH base="ou=applications,dc=company,dc=com" scope=2 filter="(&(objectClass=application)(systemName=app1))" attrs=ALL
[29/Jan/2011:06:35:03 +0000] conn=13624327 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0
<more ops snipped>
[29/Jan/2011:06:35:30 +0000] conn=13624327 op=21 msgId=22 - SRCH base="ou=applications,dc=company,dc=com" scope=0 filter="(objectClass=*)" attrs="nodeName description host instanceName"
[29/Jan/2011:06:35:30 +0000] conn=13624327 op=21 msgId=22 - RESULT err=0 tag=101 nentries=1889 etime=23 notes=U
[29/Jan/2011:06:35:30 +0000] conn=13624327 op=-1 msgId=-1 - closing - B1
[29/Jan/2011:06:35:30 +0000] conn=13624327 op=-1 msgId=-1 - closed.
Can anyone give me any pointers?
Thanks in advance!
Simon
... View more