Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
737 Views 4 Replies Latest reply: May 11, 2013 5:47 PM by orens RSS
orens Newcomer 3 posts since
Jul 25, 2010
Currently Being Moderated

May 8, 2013 6:41 PM

Write LDAP attributes to Access Log

Hi,

 

I'm trying to pull the displayName attribute of authenticated users from Microsoft AD via LDAP and write it as a user defined property at the access log.

This will be useful when creating reports based on the access log, some times authentication usernames doesn't contain the actual name of the user (it might be the employee number).

 

I could set the authentication with LDAP and get the displayName attribute alright.

Now i just need to find how to use this attribute in the access log.

 

 

Appreciate any help with this one.

 

Thanks

  • andyclements Apprentice 131 posts since
    Jul 27, 2012
    Currently Being Moderated
    1. May 8, 2013 9:17 PM (in response to orens)
    Re: Write LDAP attributes to Access Log

    You can add the information to the access log on the Policy tab, then under Rule Sets and Log Handler.  Select Access Log under the Default log handler.  You should see one rule there, which you can edit.  On the Edit Rule dialog, select Events, then edit the first event.  The event type should stay the same, but the list of concatenated strings on the right side can be modified.  The property that contains the displayName can then be added to the log line by clicking Add, then choosing the Parameter property radio button, and finally selecting the property that has the correct data.

     

    I stuffed it all into one screen shot, but here are all the steps numbered:

    access_log.png

     

    I would recommend putting the name in quotes, as it is likely to have spaces in it.  Click on Add, select Parameter value, and enter the quote.  It would also be good to add a space before/after it to separate it from another value.

     

    After the new data is defined in the log line, you should add a name for the field to the log header.  Go to Policy --> Settings --> File System Logging --> Access Log Configuration.  In the Log header field, add the new field name with the proper spaces/quotes around it.  This will enable the WebReporter/Content Security Reporter to properly read the file.  Without this, you will just get parsing errors.

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. May 9, 2013 10:01 AM (in response to orens)
    Re: Write LDAP attributes to Access Log

    Hi orens,

     

    There is no property that contains the displayName. What needs to be done is, it needs to be pulled when MWG contacts the LDAP server (AD).

     

    So much like MWG will pull group information (memberOf), we need to store the displayName into the user-defined property based on the given username.

     

    I will write up a ruleset which will allow you to retrieve the displayName and store it.

     

    One question though (that has bearing on how I write it), are you using NTLM auth, or LDAP to start?

     

    Best,

    Jon

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. May 9, 2013 3:48 PM (in response to orens)
    Re: Write LDAP attributes to Access Log

    What is entailed is similar to what I did on the following thread:

    https://community.mcafee.com/message/284493#284493

     

    But it depends on how you perform the original authentication (NTLM or LDAP), this will change how the rules look.

     

    Best,

    Jon

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points