mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opends/resource/schema/02-config.ldif
@@ -2677,19 +2677,19 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.32 NAME 'ds-cfg-client-address-equal-to' NAME 'ds-cfg-connection-client-address-equal-to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.33 NAME 'ds-cfg-client-address-not-equal-to' NAME 'ds-cfg-connection-client-address-not-equal-to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.34 NAME 'ds-cfg-client-protocol-equal-to' NAME 'ds-cfg-connection-protocol-equal-to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.35 NAME 'ds-cfg-client-port-equal-to' NAME 'ds-cfg-connection-port-equal-to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'OpenDJ Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.36733.2.1.1.36 @@ -4541,10 +4541,10 @@ STRUCTURAL MUST ( cn ) MAY ( ds-cfg-log-record-type $ ds-cfg-client-address-equal-to $ ds-cfg-client-address-not-equal-to $ ds-cfg-client-protocol-equal-to $ ds-cfg-client-port-equal-to $ ds-cfg-connection-client-address-equal-to $ ds-cfg-connection-client-address-not-equal-to $ ds-cfg-connection-protocol-equal-to $ ds-cfg-connection-port-equal-to $ ds-cfg-user-dn-equal-to $ ds-cfg-user-dn-not-equal-to $ ds-cfg-user-is-member-of $ opends/src/admin/defn/org/opends/server/admin/std/AccessLogFilteringCriteriaConfiguration.xml
@@ -46,11 +46,7 @@ Filters log records based on their type. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis> The log record type will be ignored during filtering. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:enumeration> @@ -98,7 +94,7 @@ </ldap:attribute> </adm:profile> </adm:property> <adm:property name="client-address-equal-to" multi-valued="true"> <adm:property name="connection-client-address-equal-to" multi-valued="true"> <adm:synopsis> Filters log records associated with connections which match at least one of the specified client host names or address masks. @@ -108,22 +104,18 @@ domain name, an IP address, or a subnetwork with subnetwork mask. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on client address equality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:ip-address-mask /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-client-address-equal-to</ldap:name> <ldap:name>ds-cfg-connection-client-address-equal-to</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="client-address-not-equal-to" multi-valued="true"> <adm:property name="connection-client-address-not-equal-to" multi-valued="true"> <adm:synopsis> Filters log records associated with connections which do not match any of the specified client host names or address masks. @@ -133,70 +125,59 @@ domain name, an IP address, or a subnetwork with subnetwork mask. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on client address inequality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:ip-address-mask /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-client-address-not-equal-to</ldap:name> <ldap:name>ds-cfg-connection-client-address-not-equal-to</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="client-protocol-equal-to" multi-valued="true"> <adm:property name="connection-protocol-equal-to" multi-valued="true"> <adm:synopsis> Filters log records associated with connections which match any of the specified protocols. </adm:synopsis> <adm:description> Typical values include "ldap", "ldaps", or "jmx". </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the protocol. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:enumeration> <adm:value name="ldap"> <adm:synopsis>LDAP clients</adm:synopsis> </adm:value> <adm:value name="ldaps"> <adm:synopsis>LDAPS clients</adm:synopsis> </adm:value> <adm:value name="jmx"> <adm:synopsis>JMX clients</adm:synopsis> </adm:value> </adm:enumeration> <adm:string> <adm:pattern> <adm:regex>[a-zA-Z0-9]+</adm:regex> <adm:usage>NAME</adm:usage> <adm:synopsis> The protocol name as reported in the access log. </adm:synopsis> </adm:pattern> </adm:string> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-client-protocol-equal-to</ldap:name> <ldap:name>ds-cfg-connection-protocol-equal-to</ldap:name> </ldap:attribute> </adm:profile> </adm:property> <adm:property name="client-port-equal-to" multi-valued="true"> <adm:property name="connection-port-equal-to" multi-valued="true"> <adm:synopsis> Filters log records associated with connections to any of the specified listener port numbers. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the port. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer lower-limit="1" upper-limit="65535" /> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:name>ds-cfg-client-port-equal-to</ldap:name> <ldap:name>ds-cfg-connection-port-equal-to</ldap:name> </ldap:attribute> </adm:profile> </adm:property> @@ -213,11 +194,7 @@ uid=bj*,ou=people,dc=example,dc=com). </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on user DN equality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:string /> @@ -241,11 +218,7 @@ uid=bj*,ou=people,dc=example,dc=com). </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on user DN inequality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:string /> @@ -262,11 +235,7 @@ one of the specified groups. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on group membership. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:dn /> @@ -283,11 +252,7 @@ of the specified groups. </adm:synopsis> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on group non-membership. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:dn /> @@ -311,11 +276,7 @@ uid=bj*,ou=people,dc=example,dc=com). </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on target DN equality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:string /> @@ -339,11 +300,7 @@ uid=bj*,ou=people,dc=example,dc=com). </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on target DN inequality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:string /> @@ -365,11 +322,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on result code equality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer /> @@ -391,11 +344,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on result code inequality. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer /> @@ -417,11 +366,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the etime. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer> @@ -445,11 +390,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the etime. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer> @@ -473,11 +414,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the number of search results returned. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer> @@ -501,11 +438,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on the number of search results returned. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:integer> @@ -529,11 +462,7 @@ is only applied to response log messages. </adm:description> <adm:default-behavior> <adm:alias> <adm:synopsis> Do not filter based on whether or not a search was indexed. </adm:synopsis> </adm:alias> <adm:undefined/> </adm:default-behavior> <adm:syntax> <adm:boolean/> opends/src/admin/messages/AccessLogFilteringCriteriaCfgDefn.properties
@@ -1,21 +1,15 @@ user-friendly-name=Access Log Filtering Criteria user-friendly-plural-name=Access Log Filtering Criteria synopsis=A set of rules which together determine whether a log record should be logged or not. property.client-address-equal-to.synopsis=Filters log records associated with connections which match at least one of the specified client host names or address masks. property.client-address-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. property.client-address-equal-to.default-behavior.alias.synopsis=Do not filter based on client address equality. property.client-address-not-equal-to.synopsis=Filters log records associated with connections which do not match any of the specified client host names or address masks. property.client-address-not-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. property.client-address-not-equal-to.default-behavior.alias.synopsis=Do not filter based on client address inequality. property.client-port-equal-to.synopsis=Filters log records associated with connections to any of the specified listener port numbers. property.client-port-equal-to.default-behavior.alias.synopsis=Do not filter based on the port. property.client-protocol-equal-to.synopsis=Filters log records associated with connections which match any of the specified protocols. property.client-protocol-equal-to.default-behavior.alias.synopsis=Do not filter based on the protocol. property.client-protocol-equal-to.syntax.enumeration.value.jmx.synopsis=JMX clients property.client-protocol-equal-to.syntax.enumeration.value.ldap.synopsis=LDAP clients property.client-protocol-equal-to.syntax.enumeration.value.ldaps.synopsis=LDAPS clients property.connection-client-address-equal-to.synopsis=Filters log records associated with connections which match at least one of the specified client host names or address masks. property.connection-client-address-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. property.connection-client-address-not-equal-to.synopsis=Filters log records associated with connections which do not match any of the specified client host names or address masks. property.connection-client-address-not-equal-to.description=Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. property.connection-port-equal-to.synopsis=Filters log records associated with connections to any of the specified listener port numbers. property.connection-protocol-equal-to.synopsis=Filters log records associated with connections which match any of the specified protocols. property.connection-protocol-equal-to.description=Typical values include "ldap", "ldaps", or "jmx". property.connection-protocol-equal-to.syntax.string.pattern.synopsis=The protocol name as reported in the access log. property.log-record-type.synopsis=Filters log records based on their type. property.log-record-type.default-behavior.alias.synopsis=The log record type will be ignored during filtering. property.log-record-type.syntax.enumeration.value.abandon.synopsis=Abandon operations property.log-record-type.syntax.enumeration.value.add.synopsis=Add operations property.log-record-type.syntax.enumeration.value.bind.synopsis=Bind operations @@ -30,38 +24,25 @@ property.log-record-type.syntax.enumeration.value.unbind.synopsis=Unbind operations property.request-target-dn-equal-to.synopsis=Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. property.request-target-dn-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com). property.request-target-dn-equal-to.default-behavior.alias.synopsis=Do not filter based on target DN equality. property.request-target-dn-not-equal-to.synopsis=Filters operation log records associated with operations which target entries matching none of the specified DN patterns. property.request-target-dn-not-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com). property.request-target-dn-not-equal-to.default-behavior.alias.synopsis=Do not filter based on target DN inequality. property.response-etime-greater-than.synopsis=Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. property.response-etime-greater-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.response-etime-greater-than.default-behavior.alias.synopsis=Do not filter based on the etime. property.response-etime-less-than.synopsis=Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. property.response-etime-less-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.response-etime-less-than.default-behavior.alias.synopsis=Do not filter based on the etime. property.response-result-code-equal-to.synopsis=Filters operation response log records associated with operations which include any of the specified result codes. property.response-result-code-equal-to.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.response-result-code-equal-to.default-behavior.alias.synopsis=Do not filter based on result code equality. property.response-result-code-not-equal-to.synopsis=Filters operation response log records associated with operations which do not include any of the specified result codes. property.response-result-code-not-equal-to.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.response-result-code-not-equal-to.default-behavior.alias.synopsis=Do not filter based on result code inequality. property.search-response-is-indexed.synopsis=Filters search operation response log records associated with searches which were either indexed or unindexed. property.search-response-is-indexed.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.search-response-is-indexed.default-behavior.alias.synopsis=Do not filter based on whether or not a search was indexed. property.search-response-nentries-greater-than.synopsis=Filters search operation response log records associated with searches which returned more than the specified number of entries. property.search-response-nentries-greater-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.search-response-nentries-greater-than.default-behavior.alias.synopsis=Do not filter based on the number of search results returned. property.search-response-nentries-less-than.synopsis=Filters search operation response log records associated with searches which returned less than the specified number of entries. property.search-response-nentries-less-than.description=It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages. property.search-response-nentries-less-than.default-behavior.alias.synopsis=Do not filter based on the number of search results returned. property.user-dn-equal-to.synopsis=Filters log records associated with users matching at least one of the specified DN patterns. property.user-dn-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com). property.user-dn-equal-to.default-behavior.alias.synopsis=Do not filter based on user DN equality. property.user-dn-not-equal-to.synopsis=Filters log records associated with users which do not match any of the specified DN patterns. property.user-dn-not-equal-to.description=Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com). property.user-dn-not-equal-to.default-behavior.alias.synopsis=Do not filter based on user DN inequality. property.user-is-member-of.synopsis=Filters log records associated with users which are members of at least one of the specified groups. property.user-is-member-of.default-behavior.alias.synopsis=Do not filter based on group membership. property.user-is-not-member-of.synopsis=Filters log records associated with users which are not members of any of the specified groups. property.user-is-not-member-of.default-behavior.alias.synopsis=Do not filter based on group non-membership. opends/src/server/org/opends/server/loggers/AbstractTextAccessLogPublisher.java
@@ -77,6 +77,8 @@ private final EnumSet<OperationType> logOperationRecords; private final AddressMask[] clientAddressEqualTo; private final AddressMask[] clientAddressNotEqualTo; private final int[] clientPorts; private final String[] clientProtocols; private final PatternDN[] userDNEqualTo; private final PatternDN[] userDNNotEqualTo; private final PatternDN[] targetDNEqualTo; @@ -160,13 +162,32 @@ } } clientAddressEqualTo = cfg.getClientAddressEqualTo().toArray( // The list of ports is likely to be small and a simple array lookup will // be more efficient, avoiding auto-boxing conversions as well. clientPorts = new int[cfg.getConnectionPortEqualTo().size()]; int i = 0; for (Integer port : cfg.getConnectionPortEqualTo()) { clientPorts[i++] = port; } clientProtocols = new String[cfg.getConnectionProtocolEqualTo().size()]; i = 0; for (String protocol : cfg.getConnectionProtocolEqualTo()) { clientProtocols[i++] = toLowerCase(protocol); } clientAddressEqualTo = cfg.getConnectionClientAddressEqualTo().toArray( new AddressMask[0]); clientAddressNotEqualTo = cfg.getClientAddressNotEqualTo().toArray( new AddressMask[0]); clientAddressNotEqualTo = cfg.getConnectionClientAddressNotEqualTo() .toArray(new AddressMask[0]); userDNEqualTo = new PatternDN[cfg.getUserDNEqualTo().size()]; int i = 0; i = 0; for (final String s : cfg.getUserDNEqualTo()) { userDNEqualTo[i++] = PatternDN.decode(s); @@ -307,6 +328,44 @@ private boolean filterClientConnection(final ClientConnection connection) { // Check protocol. if (clientProtocols.length > 0) { boolean found = false; final String protocol = toLowerCase(connection.getProtocol()); for (String p : clientProtocols) { if (protocol.equals(p)) { found = true; break; } } if (!found) { return false; } } // Check server port. if (clientPorts.length > 0) { boolean found = false; final int port = connection.getServerPort(); for (int p : clientPorts) { if (port == p) { found = true; break; } } if (!found) { return false; } } // Check client address. final InetAddress ipAddr = connection.getRemoteAddress(); if (clientAddressNotEqualTo.length > 0) @@ -324,25 +383,6 @@ } } // Check server port. if (!cfg.getClientPortEqualTo().isEmpty()) { if (!cfg.getClientPortEqualTo().contains(connection.getServerPort())) { return false; } } // Check protocol. if (!cfg.getClientProtocolEqualTo().isEmpty()) { if (!cfg.getClientProtocolEqualTo().contains( toLowerCase(connection.getProtocol()))) { return false; } } return true; }
