dirxauddecode

Synopsis

dirxauddecode -i audit_log_file
[-a ascii_file]
[-o operation …]
[-G operation_group …]
[-r]
[-d number]
[-A number]
[-p protocol …]
[-c ldap_connection_identifier]
[-C string]
[-F audit_configuration_file]
[-X]
[-k encryption_password | -K encryption_password_file]
[-l record_count]
[-B begin_time]
[-E end_time]
[-S sob_id]
[-N dn]
[-Q cookie]
{[-t IP_address[,IP_address] | -T IP_address[,IP_address]]}
[-u user]
[-b user]
{[-y filtering_DNs_file | -Y ignoring_DNs_file]}
[-D contact_DSA_name]
[-P LDAP_server_name]
[-Z]
[-U]
[-v] |
[-h] |
-V

Purpose

Evaluates a single binary DSA or LDAP server audit log file. Use the dirxaudstatistics command if you want to evaluate more than one audit log file or provide detailed statistical information about the evaluated records.

Options

-i audit_log_file

The name of the audit log file to evaluate.

The dirxadm audit command initiates DSA auditing. When auditing is on, the DSA writes binary audit information to the pathname install_path*/server/audit/audit.log* by default. (The default can be overridden with the dirxadm audit command.)

The dirxadm ldap audit -start command or the configured LDAP server audit configuration subentry initiates LDAP server auditing. When auditing is on, the LDAP server writes audit information to the pathname install_path*/ldap/audit/ldapConfiguration/audit.log* by default. (The default can be overridden with the LDAP Audit Destination Attribute of the LDAP server audit configuration subentry.)

-a ascii_file

Specifies the audit output file. If this option is not used, output is sent to stdout.

-o operation

Evaluates only entries of the specified operation. Specify one -o operation option for each operation that should be evaluated; for example, -o add -o modify. The following keywords apply to operation:
- all - All operations
- abandon - All abandon operations
- add - All add operations
- bind - All bind operations
- compare - All compare operations
- moddn - All moddn operations
- modify - All modify operations
- search - All search operations
- unbind - All unbind operations
The following keywords are only relevant to the evaluation of DSA audit log files. They are ignored when evaluating LDAP server audit log files.
- abort - All abort operations
- list - All list operations
- read - All read operations
- remove - All remove / delete operations
The following keywords refer to shadowing protocol operations (DISP) in DSA audit log files:
- clean_up_shadow_journal
- consume_delete_entry
- coord_shadow_update
- incr_consume_change
- incr_supply_change
- req_shadow_update
- tot_consume_entry
- tot_supply_entry
- update_scheduled
- update_shadow
The following keywords are only relevant to the evaluation of LDAP server audit log files; they are ignored when evaluating DSA audit log files:
- delete - All delete operations.
- extop - All LDAPv3 extended operations; for example, unsolicited notification or startTLS.
- ldap - All LDAP server operations except other, unknown and RPC operations.
- other - All unexpected client operations.
- rpc - All RPC operations.
- unknown - All unexpected client operations that indicate client misbehavior; for example, closing the socket layer without initiating an LDAP unbind operation.

-G operation_group

Evaluates only entries of the specified operation group. An operation group consists of multiple operations (see -o). Specify one -G operation group option for each operation group that should be evaluated; for example, -G MODIFICATION -G CONNECTION. The following keywords apply to operation groups:
- MODIFICATION - add, modify, moddn, remove, delete.
- READING - read, compare, list, search.
- SHADOWING - coord_shadow_update, req_shadow_update, update_shadow, update_scheduled, clean_up_shadow_journal, tot_supply_entry, tot_consume_entry, incr_supply_change, incr_consume_change, consume_delete_entry.
- CONNECTION - bind, unbind, abort, abandon.
Operation groups can be used in conjunction with operations; for example, -G CONNECTION -o search.

-r

Specifies that only records with a result code other than success (0) should be evaluated.

-d number

Directs dirxauddecode to print only the first number characters of an LDAP/DAP filter in a search request. The default value is 1000.

-A number

Directs dirxauddecode to print only the first number requested attributes of a search request. The default value is 100.

-h

Prints a command usage message.

-v

Increases the verbosity level of dirxauddecode output. There are three levels of increasing verbosity: specify -v for the first level, specify -vv or -v -v for the second level, and specify
-vvv or -v -v -v for the third level.

-V

Displays the DirX Directory product version, in the format:

product_version build_id date time

For example:

DirX Directory V9.0 9.4.428 2023:03:23 20:10 64-Bit

The following option is only relevant to the evaluation of DSA audit log files. It is ignored when evaluating LDAP server audit log files.

-p protocol

Evaluates only entries of the specified protocol for DSA audit log files. Specify one -p protocol option for each protocol that should be evaluated; for example -p disp -p dsp. The following keywords (case insensitive) apply to protocol:
- dap - All DAP operations
- disp - All DISP operations
- dsp - All DSP operations
- rpc - All local (RPC) operations
The following options are only relevant to the evaluation of LDAP server audit log files. They are ignored when evaluating DSA server audit log files.

-c ldap_connection_identifier

Specifies a unique connection identifier that identifies the LDAP connection to a client.

-C string

Directs the dirxauddecode command to evaluate only records that have a session-tracking control value with a SID-name component that contains the specified string. dirxaddecode does not evaluate records without a session-tracking control value and records where the string does not occur in the SID-Name component of the session-tracking control. For example, dirxauddecode -C WfStatusLogHandler will result in an output file that contains only those operations that were issued by an LDAP client that added a session-tracking control with the SID-Name that contains the string “WfStatusLogHandler” to the operation.

-F audit_configuration_file

Specifies the full pathname of the dirxauddecode configuration file to be used to customize the output for LDAP server audit log files. (See the section dirxauddecode Configuration File in the chapter DirX Directory Files for details.)

-X

Displays a list of available commands for the dirxauddecode configuration file. (See the section dirxauddecode Configuration File in the chapter DirX Directory Files for details.)

-k encryption_password

Specifies the password that is required to evaluate and decrypt an encrypted audit log file. The dirxauddecode command automatically detects whether the audit log file is encrypted. If no key or an incorrect key is specified for an encrypted audit log file, the evaluation process is terminated and an error message is written to stderr.

-K encryption_password_file

Specifies the path to a file containing the password that is required to evaluate and decrypt an encrypted audit log file (see the -k option). The password must be the only content of this file. When creating the file, the password must be specified in plain ASCII format. After the first successful reading by the application, the password is symmetrically encrypted and the file is rewritten to provide protected local storage.

-I record_count*

(The option is an uppercase "i”) Specifies the number of audit records processed at which dirxauddecode issues progress reports during LDAP server audit log file processing. The default value is 5000. A value of 0 specifies no progress reporting.

-B begin_time

Specifies that the dirxauddecode command evaluates only records created after the specified time. Specify the value in the format YYYYMMDDhhmmss; for example, 20120617123000. The value represents the local time saved as the creation time stamp of an operation in the evaluated audit log file.

-E end_time

Specifies that the dirxauddecode command evaluates only records created before the specified time. Specify the value in the format YYYYMMDDhhmmss; for example, 20120618123000. The value represents the local time saved as the creation time stamp of an operation in the evaluated audit log file.

-S sob_id

Specifies that the dirxauddecode command evaluates only records that do not contain an agreement id or contain an agreement id and match the specified sob_id. This option is particularly useful when combined with the -G SHADOWING option.

-N dn

Specifies that the dirxauddecode command evaluates only records that match the specified dn. Whether or not a record matches the specified dn depends on the record type:

Record type	The record is evaluated if
ADD, MODIFY, MODDN, DELETE, COMPARE	the target entry name of the operation matches the specified dn.
SEARCH	the base object name matches the specified dn and the scope of the search is baseobject.
BIND	the bind user name matches the specified dn.
All other	never matches.

Record type

The record is evaluated if

ADD, MODIFY, MODDN, DELETE, COMPARE

the target entry name of the operation matches the specified dn.

the base object name matches the specified dn and the scope of the search is baseobject.

BIND

the bind user name matches the specified dn.

All other

never matches.

Specify multiple -N options to filter the evaluated records for multiple distinguished names; for example -N dn1 -N dn2. The value of dn is case-insensitive.

Examples:

-N cn=myentry,o=my-company -o add -o modify -o delete evaluates all LDAP records with add, modify and delete operations for the object cn=myentry, o=my-company.

-N cn=myuser,o=my-company -o bind evaluates all LDAP records with bind operations for the user cn=myuser, o=my-company.

-N/o=my-company/cn=myentry -o search evaluates all DAP records with search operations for the object /o=my-company/cn=myentry and the scope baseobject.

-Q cookie

Specifies that the dirxauddecode command evaluates only records for which the paged-result cookie is present. The cookie must be specified as a hex-value string like 80000001 (the same as in audit-output). For example, -Q 80000001 evaluates all records that have a cookie 80000001. If the cookie-string is ANY, then all records that have a cookie are evaluated no matter what the value is.

-t IP_address[,IP_address]

Specifies that the dirxauddecode command evaluates only those records in the audit log file whose client IP address matches the specified IP address. Separate multiple IP addresses with a comma; for example, -t 127.0.0.1,192.10.1.20,192.10.1.30. Use the wildcard (*) to specify an IP submask; for example, -t 127.*.1,192.*.1.20,192.10.1.3. Either the -t or the -T option can be used; using both options fails.

-T IP_address[,IP_address]

Specifies that the dirxauddecode command does not evaluate records in the audit log file whose client IP addresses match one or more specified IP addresses. The IP addresses specified must be Internet Protocol Version 4 (IPv4) addresses. Separate multiple IP addresses with a comma; for example, -T 127.0.0.1,192.10.1.20,192.10.1.30. Use the wildcard (*) to specify an IP submask; for example, -T 127.*.1,192.*.1.20,192.10.1.3. Either the -T or the -t option can be used; using both options fails.

-u user

Specifies that the dirxauddecode command evaluates only those records in the audit log file that match the specified user. Specify the distinguished name of the user in LDAP format (case sensitive). (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes for details.) An empty string ("") specifies the anonymous user.

-b user
Specifies that the dirxauddecode command evaluates only those records in the audit log file that match the specified user. Specify the distinguished name of the user in LDAP format (case insensitive). This option is equivalent to the option -u, except that the match is performed case insensitive. (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes for details.) An empty string ("") specifies the anonymous user.

-y filtering_DNs_file

Specifies the name of a file that contains a list of DNs. The dirxauddecode command evaluates only those records in the audit log file that match one of the specified users. Specify the distinguished name of the users in LDAP format (case insensitive). (See the section Distinguished Names in the chapter DirX Directory String Representation for LDAP Binds in DirX Directory Syntaxes and Attributes for details.) The string anonymous specifies the anonymous user. You can use the wildcard (*) for RDNs.

In the file filtering_DNS_file, blank lines and lines starting with the *#* character are ignored. Each line can contain one DN. Here is an example file:
```
# Evaluate all records containing the following users:
cn=Schulz,ou=Sales,o=My-Company
cn=Abele,ou=Development,o=My-Company

# Evaluate all records under o=My-Company with cn Mayer or Meier:
cn=Mayer,*,o=My-Company
cn=Meier,*,o=My-Company

# Evaluate all records of anonymous users:
anonymous
```
Either the -y or the -Y option can be used; using both options fails.

-Y ignoring_DNs_file

Specifies the name of a file that contains a list of DNs. The dirxauddecode command excludes all records in the audit log file from the result that match one of the specified users. The syntax of this option is the same as the syntax of the -y filtering_DNs_file option.

Either the -Y or the -y option can be used; using both options fails.

-D contact_DSA_name

Specifies that the dirxauddecode command evaluates only those records in the audit log file whose contact_DSA_name matches the target DSA server. For LDAP records, contact_DSA_name must match the DSA naming in the LDAP server configuration file dirxldap.cfg. For DAP records, the contact_DSA_name must match subordinate or superior reference DN. The default value is all target servers.

-P LDAP_server_name

Specifies that the dirxauddecode command evaluates only those records in the audit log file whose LDAP_server_name matches the target server. LDAP_server_name must match JSON naming. The default value is all target servers. This option is only applicable when evaluating PROXY audits.

-U

Specifies that UTF8 code is written to the user output file. If an attribute value is not UTF8-encoded, the value is written in hexadecimal code to the user file. If this option is omitted, ASCII code is written to the user output file.

-Z

Specifies that CSV code with a limited number of fields is written to the user output file. The supported fields are UniqueID, StartTime, Duration, OpType. Here is an example output file:
```
UniqueID, StartTime, Duration, OpType +
1, 2012/11/28 10:15:30.852999, 0.110000, BIND
```

Description

The dirxauddecode command evaluates DSA and LDAP server audit log files and generates customized output (for LDAP server audit log files only; see the –X and –F options) or human-readable ASCII-formatted output to stdout or to the file specified in the –a option. The generated output identifies all incoming protocol requests, their detailed operation parameters and the result code for each operation. The output also contains operational information such as durations, threading information and error messages that can be used to diagnose the running system or tune DirX Directory. The output does not contain any entry information that read and search operations return; for example, attribute values or distinguished names of entries that satisfy the search filter.

The output usually contains a header, 1-n audit records and a summary. The LDAP audit header contains useful information about server settings and configuration parameters. It also contains information about attribute indexes – which indexes are set and how often they are used – from the DSA. The audit records are complete; that is, no operations are lost unless operation filtering has been enabled with the –o operation option. However, the audit records are not guaranteed to be written in the same sequence as the server (LDAP and DSA) operations. When evaluating an LDAP audit log file with dirxauddecode, you can determine the sequence of the LDAP server operations from the operation name, which has the format:

LDAP_Conclient_number_Opoperation_number

where

client_number specifies the client connection
operation_number specifies the operation

Both numbers start with the value 0 (zero) and are incremented by 1 for each new client connection or operation. For example, LDAP_Con5_Op3 identifies the fourth operation of the sixth client connection.

You can use the -h option to display a usage message for the command.

Keep in mind to limit your DSA and LDAP server audit log files to a useful size because the dirxauddecode command may run into a deadlock when the binary audit log file or the output file specified in the -a option exceeds the limit of 2 GB. Errors occur due to the 32-bit I/O mechanism when files are greater than 2 GB. (See the dirxadm audit reference page for information on how to limit the DSA audit log file size and the sections LDAP Audit Size Limit and LDAP Audit Max File Size in in DirX Directory Syntaxes and Attributes for information on how to limit the LDAP audit log file size.) Note that the ASCII output files may become five to ten times larger than the binary audit log files.

Examples

The following sample command evaluates a DSA audit file:

% dirxauddecode -i audit.log -a dsa_audit.txt

The sample command output written to the output file dsa_audit.txt is as follows:

#################  DIR.X AUDIT TRAIL (c) Eviden  ################################
Cmd-Line: -i audit.log -a dsa_audit.txt
=================================================================================
Audit  File #             :1
Input  File               :audit.log
Output File               :dsa_audit.txt
Audit Version             :8.8
Server UUID               :a5857937-1caa-4b72-80b4-722dc5db0cd0
Audit Start Time (local)  :Thu Nov 29 10:21:13 2012
Audit Start Time (GMT)    :Thu Nov 29 09:21:13 2012
Content Type              :DSA
DB Master-Entries         :0
DB Copy-Entries           :1573
Server Version            :DirX Directory V8.2 B 8.8.98 2012:11:28 20:10
Host Name                 :baumg03
=================================================================================

############# RECORD NUMBER 000226 #############
Bind-Id:             0x00100007
Start Time:             Thu Nov 29 10:38:00.971999 2012
End Time:               Thu Nov 29 10:38:00.971999 2012
Concurrency:            1
BT Usage:               8 Conns, 1 Ops
Duration:               0.000000 sec
Protocol:            DAP (Responder)
OP-Name:             Con16_Op0
Operation:           BIND
Role:                Responder
AuthMech:            Simple
Bind-Requestor:              /O=my-company/CN=admin
IP-address:           10.93.25.149
OpResCTXSize:         32 kB
TotalCTXSize:         7 MB  (HWM: 9 MB)
Result:              Successful (Size 0 Bytes)

########## END RECORD NUMBER 000226 ############

############# RECORD NUMBER 000227 #############
OpUUID:              e792d1c7-7090-483d-b759-ae8afadfefbc
Bind-Id:             0x00100007
Start Time:             Thu Nov 29 10:38:07.190000 2012
End Time:               Thu Nov 29 10:38:07.377000 2012
Concurrency:            1
BT Usage:               8 Conns, 1 Ops
Duration:               0.187000 sec
Protocol:            DAP (Responder)
OP-Name:             Con16_Op1
Operation:           SEARCH
Base-Object:            /O=My-Company
Scope:                  subtree
Filter:                 (cn=*bel*)
Options:                PrefCh CopyShallDo
Found Entries:          16 (16 local, 0 remote)
OpResCTXSize:         144 kB
TotalCTXSize:         7 MB  (HWM: 9 MB)
Result:              Successful (Size 1412 Bytes)

########## END RECORD NUMBER 000227 ############

############# RECORD NUMBER 000228 #############
OpUUID:              5843680b-8550-401f-80aa-001e6cefd236
Bind-Id:             0x00100007
Start Time:             Thu Nov 29 10:38:20.923000 2012
End Time:               Thu Nov 29 10:38:20.923000 2012
Concurrency:            1
BT Usage:               8 Conns, 1 Ops
Duration:               0.000000 sec
Protocol:            DAP (Responder)
OP-Name:             Con16_Op2
Operation:           SEARCH
Base-Object:            /O=My-Company
Scope:                  subtree
Filter:                 (userCertificate:2.5.13.34:=\{ serialNumber 30, issuer rdnSequence:"/O=pqrupmann01/CN=admin" })
Options:                PrefCh CopyShallDo
Found Entries:          0 (0 local, 0 remote)
OpResCTXSize:         80 kB
TotalCTXSize:         7 MB  (HWM: 9 MB)
Result:              Successful (Size 12 Bytes)

########## END RECORD NUMBER 000228 ############

############# RECORD NUMBER 000229 #############
OpUUID:              9c6f7905-d6b5-4873-815f-3b8066fdd087
Bind-Id:             0x00100007
Start Time:             Thu Nov 29 10:38:23.782000 2012
End Time:               Thu Nov 29 10:38:23.891999 2012
Concurrency:            1
BT Usage:               8 Conns, 1 Ops
Duration:               0.109999 sec
Protocol:            DAP (Responder)
OP-Name:             Con16_Op3
Operation:           SEARCH
Base-Object:            /O=My-Company
Scope:                  subtree
Filter:                 (userCertificate:2.5.13.34:=\{ serialNumber 30, issuer rdnSequence:"/O=pqrupmann02/CN=admin" })
Options:                PrefCh CopyShallDo
Found Entries:          198 (198 local, 0 remote)
OpResCTXSize:         1104 kB
TotalCTXSize:         8 MB  (HWM: 9 MB)
Result:              Successful (Size 16527 Bytes)

########## END RECORD NUMBER 000229 ############

############# RECORD NUMBER 000230 #############
OpUUID:              d81ec15c-7c7f-401a-acdf-007883ab7215
Bind-Id:             0x00100007
Start Time:             Thu Nov 29 10:39:18.496000 2012
End Time:               Thu Nov 29 10:39:18.542999 2012
Concurrency:            1
BT Usage:               8 Conns, 1 Ops
Duration:               0.046999 sec
Protocol:            DAP (Responder)
OP-Name:             Con16_Op4
Operation:           MODIFY
Entry:                  /O=My-Company/OU=Payroll/CN=Kary Leary
# Changes:              1
ModType:                addVals
  AttrType:             title
  AttrVal:              Dr.
OpResCTXSize:         48 kB
TotalCTXSize:         7 MB  (HWM: 9 MB)
Result:              Successful (Size 2 Bytes)

########## END RECORD NUMBER 000230 ############


=================================================================================
  DSA Audit Summary     :
    Records Processed   : 233
  Log Time              : 1391 sec
  Avrg Traffic          : 0.2 Ops/sec
  Concurrency Max       : 2 (5 times) (Op# 000096)
  CtxSize Min/Max       : 7 / 9 MB
  CtxSize HWM Min/Max   : 7 / 9 MB
  Protocol Ops          :
    DAP Ops             : 229
      Search            : 196
      Modify            : 1
      Bind              : 16 (0 Init, 16 Resp)
      Unbind            : 4
      ExtendedOp        : 6
      Abort             : 6
    DSP Ops             : 1
      Abort             : 1
    DISP Ops            : 0
    DOP Ops             : 0
    LOCAL Ops           : 0
    RPC Ops             : 0
    PagingCookieExpired : 0
    UNKNOWN Ops         : 0

  DAP Op Statistics      :     tot |    err |     % |      t Avrg |       t Max |       t Min
    Search               :     196 |      0 |  85.2 |    0.007959 |    0.187000 |    0.000000
    Modify               :       1 |      0 |   0.4 |    0.046999 |    0.046999 |    0.046999
    Bind                 :      16 |      0 |   7.0 |    0.002938 |    0.016000 |    0.000000
    Unbind               :       4 |      0 |   1.7 |    0.000000 |    0.000000 |    0.000000
    Abort                :       6 |      0 |   2.6 |    0.000000 |    0.000000 |    0.000000
    Extended             :       6 |      0 |   2.6 |    0.002500 |    0.015001 |    0.000000

  DSP Op Statistics      :     tot |    err |     % |      t Avrg |       t Max |       t Min
    Abort                :       1 |      0 |   0.4 |    0.000000 |    0.000000 |    0.000000

  DISP Op Statistics     :     tot |    err |     % |      t Avrg |       t Max |       t Min

  RPC Op Statistics      :     tot |    err |     % |      t Avrg |       t Max |       t Min


    Top 100 Durations:
      Duration    StartTime        EndTime           Op#      CC   CTXSize  Prot   Type/Info
      0.187000 | 10:38:07.190000 | 10:38:07.377000 | 000227 |   1 |    7 | DAP   | SEARCH     n/a
      0.109999 | 10:38:23.782000 | 10:38:23.891999 | 000229 |   1 |    8 | DAP   | SEARCH     n/a
      0.046999 | 10:35:21.003000 | 10:35:21.049999 | 000203 |   1 |    7 | DAP   | SEARCH     n/a
      0.046999 | 10:39:18.496000 | 10:39:18.542999 | 000230 |   1 |    7 | DAP   | MODIFY     n/a
      0.031999 | 10:35:20.815000 | 10:35:20.846999 | 000202 |   1 |    7 | DAP   | SEARCH     n/a
      0.031001 | 10:35:48.154999 | 10:35:48.186000 | 000217 |   1 |    7 | DAP   | SEARCH     n/a
      0.030999 | 10:35:32.266000 | 10:35:32.296999 | 000208 |   1 |    9 | DAP   | SEARCH     n/a
      0.016001 | 10:25:49.157999 | 10:25:49.174000 | 000114 |   1 |    7 | DAP   | SEARCH     n/a
      0.016001 | 10:35:21.111999 | 10:35:21.128000 | 000204 |   1 |    7 | DAP   | SEARCH     n/a
      0.016001 | 10:25:49.407999 | 10:25:49.424000 | 000135 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.427000 | 10:21:28.443000 | 000053 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.739000 | 10:21:28.755000 | 000086 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.832999 | 10:21:28.848999 | 000089 |   1 |    7 | DAP   | BIND       n/a
      0.016000 | 10:25:48.438999 | 10:25:48.454999 | 000103 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.707999 | 10:21:28.723999 | 000082 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.536000 | 10:21:28.552000 | 000066 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.111000 | 10:25:49.127000 | 000110 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.614000 | 10:21:28.630000 | 000071 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:27.552000 | 10:21:27.568000 | 000004 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.220000 | 10:25:49.236000 | 000119 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.266999 | 10:25:49.282999 | 000123 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.313999 | 10:25:49.329999 | 000127 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.361000 | 10:25:49.377000 | 000131 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.161000 | 10:21:28.177000 | 000023 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.470000 | 10:25:49.486000 | 000140 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.516999 | 10:25:49.532999 | 000144 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.052000 | 10:21:28.068000 | 000010 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.141999 | 10:25:49.157999 | 000113 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.611000 | 10:25:49.627000 | 000152 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.720000 | 10:25:49.736000 | 000161 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.766999 | 10:25:49.782999 | 000165 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.861000 | 10:25:49.877000 | 000169 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.970000 | 10:25:49.986000 | 000178 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:50.016999 | 10:25:50.032999 | 000182 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:50.063999 | 10:25:50.079999 | 000186 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:35:19.783999 | 10:35:19.799999 | 000198 |   1 |    7 | DAP   | BIND       n/a
      0.016000 | 10:21:28.207999 | 10:21:28.223999 | 000028 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.563999 | 10:25:49.579999 | 000148 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.286000 | 10:21:28.302000 | 000037 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.595000 | 10:25:49.611000 | 000151 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:35:39.124000 | 10:35:39.140000 | 000213 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:35:39.326999 | 10:35:39.342999 | 000215 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.302000 | 10:21:28.318000 | 000039 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:35:54.309999 | 10:35:54.325999 | 000219 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.082999 | 10:21:28.098999 | 000014 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:25:49.095000 | 10:25:49.111000 | 000109 |   1 |    7 | DAP   | SEARCH     n/a
      0.016000 | 10:21:28.364000 | 10:21:28.380000 | 000046 |   1 |    7 | DAP   | SEARCH     n/a
      0.015999 | 10:35:19.831000 | 10:35:19.846999 | 000199 |   1 |    7 | DAP   | SEARCH     n/a
      0.015999 | 10:21:28.630000 | 10:21:28.645999 | 000073 |   1 |    7 | DAP   | SEARCH     n/a
      0.015999 | 10:21:28.130000 | 10:21:28.145999 | 000019 |   1 |    7 | DAP   | SEARCH     n/a
      0.015999 | 10:21:28.380000 | 10:21:28.395999 | 000048 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:50.454999 | 10:25:50.470000 | 000192 |   1 |    7 | DAP   | BIND       n/a
      0.015001 | 10:25:50.954999 | 10:25:50.970000 | 000197 |   1 |    7 | DAP   | EXTENDEDOP n/a
      0.015001 | 10:25:49.704999 | 10:25:49.720000 | 000160 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:49.454999 | 10:25:49.470000 | 000139 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:35:19.862999 | 10:35:19.878000 | 000200 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:49.204999 | 10:25:49.220000 | 000118 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.223999 | 10:21:28.239000 | 000030 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.473999 | 10:21:28.489000 | 000059 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:27.520999 | 10:21:27.536000 | 000003 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.723999 | 10:21:28.739000 | 000084 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:49.954999 | 10:25:49.970000 | 000177 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.145999 | 10:21:28.161000 | 000021 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.395999 | 10:21:28.411000 | 000050 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:21:28.645999 | 10:21:28.661000 | 000075 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:49.329999 | 10:25:49.345000 | 000128 |   1 |    7 | DAP   | SEARCH     n/a
      0.015001 | 10:25:48.454999 | 10:25:48.470000 | 000104 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.252000 | 10:25:49.266999 | 000122 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.424000 | 10:25:49.438999 | 000136 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:21:28.068000 | 10:21:28.082999 | 000012 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:21:28.443000 | 10:21:28.457999 | 000055 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:50.002000 | 10:25:50.016999 | 000181 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:50.049000 | 10:25:50.063999 | 000185 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.549000 | 10:25:49.563999 | 000147 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:35:35.219000 | 10:35:35.233999 | 000210 |   1 |    9 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.502000 | 10:25:49.516999 | 000143 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.877000 | 10:25:49.891999 | 000170 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.299000 | 10:25:49.313999 | 000126 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:35:54.295000 | 10:35:54.309999 | 000218 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.924000 | 10:25:49.938999 | 000174 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.174000 | 10:25:49.188999 | 000115 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.377000 | 10:25:49.391999 | 000132 |   1 |    7 | DAP   | SEARCH     n/a
      0.014999 | 10:25:49.627000 | 10:25:49.641999 | 000153 |   1 |    7 | DAP   | SEARCH     n/a
##########################  END of TRAIL  #######################################

The following sample command evaluates an LDAP server audit file:

% dirxauddecode -i audit.log -vv -a ldap_audit.txt

The sample command output written to the output file ldap_audit.txt is as follows:

#################  DIR.X AUDIT TRAIL (c) Eviden  ################################
Cmd-Line: -i audit.log -vv -a ldap_audit.txt
=================================================================================
Audit  File #             :1
Input  File               :audit.log
Output File               :ldap_audit.txt
Audit Version             :8.8
Server UUID               :8360a2ac-b7e2-407a-aca9-0450d9e98ec9
Audit Start Time (local)  :Thu Nov 29 10:25:50 2012
Audit Start Time (GMT)    :Thu Nov 29 09:25:50 2012
Audit Close Time (local)  :not closed (still in use!)
Content Type              :LDAP
OpSelection               :all
OpErrors                  :yes
Audit Level               :max
Audit Encryption          :none
Overflow Action:          :wrap around (default)
Max Records per File      :10000
Value Limit               :256
DB Master-Entries         :0
DB Copy-Entries           :1573
OS Name                   :Microsoft Windows XP Professional- Service Pack 3 (build 2600)
Total Phys Memory         :3062 MB
Avail Phys Memory         :2047 MB
Allocated CTX Size        :8 MB
HWM CTX Size              :8 MB
CTX ULimit                :1600 MB
MemPagesize               :4096
CPUs                      :2
Max Open Files soft       :unlimited
Max Open Files hard       :unlimited
Audit Disk Space Total    :57143172 kB
Audit Disk Space Free     :14593344 kB
PID                       :2384
Host Name                 :baumg03
Host IP                   :10.93.25.149
Server Version            :DirX Directory V8.2 B 8.8.98 2012:11:28 20:10 32-Bit
Server Type               :Frontend Server
Server Mode               :Read/Write
Contact DSA
:TS=DSA1,NA='TCP/IP_IDM!internet=1.2.3.4+port=21200',DNS='(HOST=baumg03,SSLPORT=21201,PLAINPOR
T=21200,MODE=SSL)'
Backend Sharing           :disabled
Max DAP Share             :5
Anonymous Allowed         :yes
Anonymous Mapped DN       :---
SSL Encryption            :SSLv3.0 TLSv1.0 TLSv1.1 TLSv1.2
SSL SASL AuthID Mapping   :Certificate.subjectDN
startTLS enabled          :yes
Server Start Time         :Thu Nov 29 10:25:47 2012
Configuration Name        :ldapConfiguration
ClCfg File                :C:\Program Files\DirX\Directory\ldap\conf\dirxldap.cfg
Ldap Port                 :389
SSL Port                  :636
RPC Port                  :6999
Max Conn                  :1024
Client Idle Time          :300
Backend unbind delay time :0
TCP/IP Response Mode      :24
Socket Mode               :async
Thread Pool Size          :32
Anonym DAP Pool Size      :5
DN Escape Mode            :backslash
Search Size Limit         :0
Search Time Limit         :0
Search Service Controls   :PreferChaining CopyShallDo
Supported LDAP Controls   :PR SSS SUBE PP
Blackbox Size             :0
Cache                     :OFF
Cached Results            :0
Cache Hit Ratio           :0%
Allowed IPs               :all
Denied IPs                :none
Allowed Users             :all
Denied Users              :none
Ignore Records with IP    :---
=================================================================================
DB-Index-Info: (AttrIndexUsageInfo is updated by DSA every 30 min)
Attr:                              objectClass : initial
Attr:                                      ocl : initial
Attr:                                       cn : initial final
Attr:                               commonName : initial final
Attr:                                       sn : initial final
Attr:                                  surname : initial final
Attr:                                        c : initial final
Attr:                              countryName : initial final
Attr:                                        o : initial final
Attr:                         organizationName : initial final
Attr:               collectiveOrganizationName : initial final
Attr:                                       ou : initial final
Attr:                   organizationalUnitName : initial final
Attr:         collectiveOrganizationalUnitName : initial final
Attr:                          userCertificate : initial present
Attr:                                       uc : initial present


AttrIndexUsageInfo:


Attribute access counter high score at Thu Nov 29 10:21:16 2012 :
Attribute name           : Index access counter
                         :      INITIAL        FINAL     CONTAINS      PRESENT
cn                       :          752            0            0            0
objectClass              :            5            0            0            0
sn                       :            0            2            0            0
userCertificate          :            2            0            0            1
o                        :            0            0            0            0
ou                       :            0            0            0            0
=================================================================================

----------------- OPERATION 000031 ----------------
  Create Time    :Thu Nov 29 10:38:00.908999 2012
  Start Time     :Thu Nov 29 10:38:00.908999 2012
  End Time       :Thu Nov 29 10:38:00.986999 2012
  PoolThread#    :28 (0x15bc)
  OpUUID         :6c940e2c-8969-427e-aaf4-cb772088291f
  Concurrency    :1
  OpStackSize    :1
  OpFlow In/Out  :0/0
  Duration       :0.078000 sec
   LDAP QTime    :0.000000 sec
   LDAP Prep Time:0.000000 sec
   LDAP Resp Time:0.000000 sec
    LDAP Snd Time:0.000000 sec (1 Calls, 0 Wouldblocks, WouldblockTime:0.000000 sec)
    LDAP Enc Time:0.000000 sec
  API Time       :0.078000 sec
   API-Send      :0.000000 sec
   API-ICOM Wait :0.062999 sec
    IDM Time     :0.062999 sec
    DSA Time     :0.000000 sec
   API-Recv      :0.015000 sec
    API-Dec      :0.000000 sec
  User           :cn=admin,o=my-company
  IP+Port+Sd     :[127.0.0.1]+4709+556
  Op-Name        :LDAP_Con2_Op0
  UniqueOpID     :31
  Operation      :BIND
  Version        :3
  MessageID      :1
  Bind-Type      :simple
  Security       :normal
  DAP-Share-Count:1
  Bytes Received :39
  Bytes Returned :29
  Socket I/O     :plain
  Abandoned      :no
  Result Code    :0 (success)
  Error Message  :Bind succeeded.

----------------- OPERATION 000032 ----------------
  Create Time    :Thu Nov 29 10:38:07.190000 2012
  Start Time     :Thu Nov 29 10:38:07.190000 2012
  End Time       :Thu Nov 29 10:38:07.392999 2012
  PoolThread#    :30 (0x1460)
  OpUUID         :e792d1c7-7090-483d-b759-ae8afadfefbc
  Concurrency    :1
  OpStackSize    :1
  OpFlow In/Out  :0/0
  Duration       :0.202999 sec
   LDAP QTime    :0.000000 sec
   LDAP Prep Time:0.000000 sec
   LDAP Resp Time:0.000000 sec
    LDAP Snd Time:0.000000 sec (17 Calls, 0 Wouldblocks, WouldblockTime:0.000000 sec)
    LDAP Enc Time:0.000000 sec
  API Time       :0.202999 sec
   API-Send      :0.000000 sec
   API-ICOM Wait :0.202999 sec
    IDM Time     :0.015999 sec
    DSA Time     :0.187000 sec
   API-Recv      :0.000000 sec
    API-Dec      :0.000000 sec
  User           :cn=admin,o=my-company
  IP+Port+Sd     :[127.0.0.1]+4709+556
  Op-Name        :LDAP_Con2_Op1
  UniqueOpID     :32
  Operation      :SEARCH
  Version        :3
  MessageID      :2
  Base Obj       :o=My-Company
  Scope          :subtree
  Filter         :(cn=ANY(bel))
  Size Limit     :0
  Time Limit     :0
  Deref Alias    :always
  Types Only     :no
  Req Attr #     :1
    Req Attr     :1.1 (no attributes)
  Found Entries  :16
  Found Attrs    :0
  Found Values   :0
  Op  Ctx Size   :114688 Bytes
  API Ctx Size   :81920 Bytes
  All Ctx Size   :8 MB
  Bytes Received :56
  Bytes Returned :992
  Socket I/O     :plain
  Cached Result  :no
  Abandoned      :no
  Result Code    :0 (success)
  Error Message  :Search succeeded. Found 16 Entries (0 Aliases), 0 Attributes, 0 Values.
(ChainedResult=no)

----------------- OPERATION 000033 ----------------
  Create Time    :Thu Nov 29 10:38:20.923000 2012
  Start Time     :Thu Nov 29 10:38:20.923000 2012
  End Time       :Thu Nov 29 10:38:20.923000 2012
  PoolThread#    :0 (0x824)
  OpUUID         :5843680b-8550-401f-80aa-001e6cefd236
  Concurrency    :1
  OpStackSize    :1
  OpFlow In/Out  :0/0
  Duration       :0.000000 sec
   LDAP QTime    :0.000000 sec
   LDAP Prep Time:0.000000 sec
   LDAP Resp Time:0.000000 sec
    LDAP Snd Time:0.000000 sec (1 Calls, 0 Wouldblocks, WouldblockTime:0.000000 sec)
    LDAP Enc Time:0.000000 sec
  API Time       :0.000000 sec
  User           :cn=admin,o=my-company
  IP+Port+Sd     :[127.0.0.1]+4709+556
  Op-Name        :LDAP_Con2_Op2
  UniqueOpID     :33
  Operation      :SEARCH
  Version        :3
  MessageID      :3
  Base Obj       :o=My-Company
  Scope          :subtree
  Filter         :(UserCertificate:2.5.13.34:=30$cn=admin,o=pqrupmann01)
  Size Limit     :0
  Time Limit     :0
  Deref Alias    :always
  Types Only     :no
  Req Attr #     :1
    Req Attr     :1.1 (no attributes)
  Found Entries  :0
  Op  Ctx Size   :32768 Bytes
  API Ctx Size   :16384 Bytes
  All Ctx Size   :8 MB
  Bytes Received :103
  Bytes Returned :103
  Socket I/O     :plain
  Cached Result  :no
  Abandoned      :no
  Result Code    :0 (success)
  Error Message  :Search succeeded. Found 0 Entries (0 Aliases), 0 Attributes, 0 Values.
(ChainedResult=no)
...
=================================================================================
  LDAP Audit Summary:
    Records Processed : 39
    Total Ops Written : 39
    Out-Of-Time Ops   : 0
    Ldap Bytes In     : 9906
    Ldap Bytes Out    : 940342
    Successful Ops    : 35
    Failed Ops        : 4
    Abandoned Ops     : 3
    SrchRes 0kB-1kB   : 19
    SrchRes 1kB-10kB  : 4
    SrchRes 10kB-100kB: 2
    SrchRes 100kB-1MB : 1
    SrchRes > 1MB     : 0
    Srch Scope Base   : 12
    Srch Scope Onelvl : 11
    Srch Scope Subtree: 3
    Paged Searches    : 11
    Found Entries     : 362
    Found Attributes  : 253
    Found Values      : 873
    Log Time          : 337 sec
    Avrg Traffic      : 0.1 Ops/sec
    Duration 0-1ms    : 10 Ops
    Duration 1-10ms   : 0 Ops
    Duration 10-100ms : 19 Ops
    Duration 100ms-1s : 4 Ops
    Duration >1s      : 6 Ops
    Duration Max      : 7.201999 sec (Op# 000010)
    Concurrency Max   : 3 (1 times) (Op# 000013)
    Avrg Concurrency  : 1

    Op Statistics     :  tot |    ok |   err |     % |       t Avrg |        t Max |        t
Min |  Std-Dev
      Binds           :    4 |     4 |     0 |  10.3 | 0.074250 sec | 0.218999 sec | 0.000000
sec | 0.103267
      Searches        :   26 |    26 |     0 |  66.7 | 0.544346 sec | 7.201999 sec | 0.000000
sec | 1.562088
      Modifys         :    1 |     1 |     0 |   2.6 | 0.062000 sec | 0.062000 sec | 0.062000
sec | 0.000000
      Unbinds         :    2 |     2 |     0 |   5.1 | 0.000000 sec | 0.000000 sec | 0.000000
sec | 0.000000
      Abandons        :    3 |     0 |     3 |   7.7 | 2.109000 sec | 2.796000 sec | 1.358999
sec | 0.720569
      Ext Ops         :    2 |     2 |     0 |   5.1 | 0.023500 sec | 0.030999 sec | 0.016000
sec | 0.010606
      Unknowns        :    1 |     0 |     1 |   2.6 | 0.000000 sec | 0.000000 sec | 0.000000
sec | 0.000000

    Error/ResultCode Statistics:
       35 times success (0).
        3 times other (80).
        1 times unexpectedSocketCloseByClient (97).

    Top 100 Durations:
      Duration   CreateTime        EndTime           Op#      CC   Type/Info
      0.281000 | 10:35:19.862999 | 10:35:20.143999 | 000003 |  1 | SEARCH
(objectclass=subschema)
      0.265000 | 10:38:23.766999 | 10:38:24.031999 | 000034 |  1 | SEARCH
(UserCertificate:2.5.13.34:=30$cn=admin,o=pqrupmann02)
      0.218999 | 10:35:19.581000 | 10:35:19.799999 | 000001 |  1 | BIND
cn=admin,o=my-company
      0.202999 | 10:38:07.190000 | 10:38:07.392999 | 000032 |  1 | SEARCH     (cn=ANY(bel))
      0.078000 | 10:35:20.799999 | 10:35:20.877999 | 000005 |  1 | SEARCH
(objectClass=PRES)
      0.078000 | 10:38:00.908999 | 10:38:00.986999 | 000031 |  1 | BIND
cn=admin,o=my-company
      0.078000 | 10:35:21.003000 | 10:35:21.081000 | 000006 |  1 | SEARCH
(objectClass=PRES)
      0.062000 | 10:39:18.480999 | 10:39:18.542999 | 000035 |  1 | MODIFY     cn=Kary
Leary,ou=Payroll,o=My-Company
      0.062000 | 10:35:48.154999 | 10:35:48.216999 | 000020 |  1 | SEARCH
(objectClass=PRES)
      0.031000 | 10:35:54.497999 | 10:35:54.528999 | 000023 |  1 | SEARCH
(objectClass=PRES)
      0.030999 | 10:35:38.015000 | 10:35:38.045999 | 000015 |  2 | SEARCH
(objectClass=PRES)
      0.030999 | 10:36:23.683000 | 10:36:23.713999 | 000029 |  1 | EXT-OP     DSA-Index-Info
      0.016000 | 10:35:21.111999 | 10:35:21.127999 | 000007 |  1 | SEARCH
(objectclass=PRES)
      0.016000 | 10:35:39.342999 | 10:35:39.358999 | 000019 |  1 | SEARCH
(objectclass=PRES)
      0.016000 | 10:35:55.888000 | 10:35:55.904000 | 000027 |  1 | SEARCH
(objectclass=PRES)
      0.016000 | 10:35:54.309999 | 10:35:54.325999 | 000022 |  1 | SEARCH
(objectclass=PRES)
      0.016000 | 10:35:39.326999 | 10:35:39.342999 | 000018 |  1 | SEARCH
(objectClass=PRES)
      0.016000 | 10:35:39.124000 | 10:35:39.140000 | 000016 |  1 | SEARCH
(objectClass=PRES)
      0.016000 | 10:40:23.740999 | 10:40:23.756999 | 000037 |  2 | EXT-OP     DSA-Index-Info
      0.015999 | 10:35:19.831000 | 10:35:19.846999 | 000002 |  1 | SEARCH
(objectclass=PRES)
      0.015000 | 10:35:55.872999 | 10:35:55.887999 | 000026 |  1 | SEARCH
(objectClass=PRES)
      0.014999 | 10:35:39.140000 | 10:35:39.154999 | 000017 |  1 | SEARCH
(objectclass=PRES)
      0.014999 | 10:35:54.295000 | 10:35:54.309999 | 000021 |  1 | SEARCH
(objectClass=PRES)

##########################  END of TRAIL  #######################################

Exit Codes

The dirxauddecode command returns an exit code of 0 on success or a positive number if it encountered an error. The text of the error message is displayed on stderr.