[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP Change Log

If you have a lot of users and your server is heavily loaded, then maybe you should watch mailbox.log for ModifyPrefs (check tour log for exact message) and scan just those accounts. We don't bother. Running raw ldapsearch (without the zmprov ga Java overhead) is fast enough that we can search all accounts every few minutes.

A terse account of other things we do is at: http://www.sans.org/reading_room/whitepapers/email/phishing-detecton-remediation_34082

On May 25, 2013, at 11:11 PM, William Froning <wfroning@aus.edu> wrote:

Hello All,

I was wondering how you all are monitoring LDAP change events. I can't seem to find the right log (if it is even enabled) to watch for account changes that might suggest a compromised account.

We are running 7.2.1. Any assistance is welcome.

Thanks,
Will

--
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration


American University of Sharjah

Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates
http://www.aus.edu
wfroning@aus.edu