Many services and processes running in a domain document their activities fully automatically in the background. The log files contain information about users’ logins to the system, installation and uninstallation of software, access to web pages, error messages and other information. Univention Corporate Server (UCS) also creates such reports – either behind the scenes in the form of log files or by using the UCS Admin Diary. You can also obtain ready-made reports as CSV or PDF files via the Univention Management Console or Shell.
In this article, I would like to show you how to create audit-proof log files of the LDAP directory service with Univention Directory Logger. I’d also like to tell you how to obtain a complete overview of the operations in a UCS domain with Admin Diary and how you can evaluate data from the directory service with Univention Directory Reports.
Univention Directory Logger: audit-proof LDAP logging
In a standard UCS system, the LDAP directory service logs, among others, in the two files /var/log/univention/listener.log and /var/lib/univention-ldap/notify/transaction. However, the service only notes the dn (distinguished name) of the object as well as a timestamp in listener.log and gives numbered information about the type of change (a like “add”, m like “modify” and d like “delete”) in the log file transaction. Admins can retrieve much more information, including changed attributes and who made the changes, when they install the Univention Directory Logger. In addition, this protects the LDAP log files against revision (modification) and manipulations of the logs are no longer possible.
To retrofit the Directory Logger, admins have to install the univention-directory-logger package, which simultaneously restarts the LDAP service and creates a new log file named /var/log/univention/directory-logger.log. The individual data records now receive hash values and each repeats the hash value of the previous data record, so that manipulations of the file would be noticed immediately. The following listing shows an extract of the log file /var/log/univention/directory-logger.log:
ID 454: START ID 454: Old Hash: 8d1ba93957e1cdbb88a6778079be42db ID 454: DN: cn=Printer-Admins,cn=groups,dc=test-installation,dc=intranet ID 454: ID: 454 ID 454: Modifier: uid=petronella,cn=self registered users,dc=test-installation,dc=intranet ID 454: Timestamp: 27.08.2020 09:30:10 ID 454: Action: modify ID 454: ID 454: Old values: ID 454: entryCSN: 20200826141005.172661Z#000000#000#000000 ID 454: modifyTimestamp: 20200826141005Z ID 454: modifiersName: cn=admin,dc=test-installation,dc=intranet ID 454: ID 454: New values: ID 454: entryCSN: 20200827093010.354523Z#000000#000#000000 ID 454: memberUid: egbert ID 454: modifyTimestamp: 20200827093010Z ID 454: modifiersName: uid=petronella,cn=self registered users,dc=test-installation,dc=intranet ID 454: uniqueMember: uid=egbert,cn=self registered users,dc=test-installation,dc=intranet ID 454: END [...]
At the beginning of each line you see the so-called transaction ID, which is written to the directory-logger.log by default since UCS 4.4-0 Erratum 536. This is a sequential number for better orientation. If you have installed the Univention Directory Logger before the update, you can activate the feature afterwards by setting the UCR variable ldap/logging/id-prefix to yes. You can access the variables via System /Univention Configuration Registry. There is a search field which you can use to search for the names of the variables.
There is also the possibility for admins to store further information for debugging purposes in the log file /var/log/syslog. To do so, edit the UCR variable ldap/debug/level accordingly. For more information on this see the spald.conf man page by searching for loglevel there.
After adjusting the UCR variable, sladp must be restarted. This is done by executing the command
service slapd restart. In order to minimize the error potential, we recommend to restart the service outside the system’s peak hours.
Attention: Depending on the log level, extremely large log files with many entries are created quickly. Therefore, you should only change this variable for debugging purposes and then reset it to the original value none.
Tip: Sometimes it is desirable to exclude individual parts of the directory service from logging. This can be done for data protection reasons, e.g., if changes to certain accounts may not be recorded. Or also in special use cases, for example, if continuous frequent adjustments to users/groups are planned that are not interesting or relevant to the functionality of the system. To exclude individual branches from the logs, edit the UCR variables ldap/logging/exclude1, /ldap/logging/exclude2 etc. By default, exclude1 is set up in such a way that changes to the container with temporary objects (cn=temporary,cn=univention) are not logged. If you make changes here, restart the service afterwards with the command
systemctl restart univention-director-listener.service.
Admin Diary: Overview of all administrative events
The Admin Diary, which we introduced with UCS 4.4, holds answers to many questions. It provides a quick overview of events in a UCS domain, such as software and app installations and updates, creation, modification and deletion of users and other directory service objects, password changes, etc.
The Admin Diary consists of two apps: the Admin Diary Backend and the Admin Diary Frontend. The backend collects data from all UCS instances in the domain and stores it in a database. The frontend then provides access to the log via the Univention Management Console and displays the events. In the default setting, these are sorted chronologically. However, you can select a specific date and also apply various search filters.
Please note that when installing the Admin Diary App, the backend must first be installed on a system in the domain before you set up a frontend. It is also possible to install multiple frontends on different UCS systems. For more information about setting up and running the backend and frontend on different computers and the general functions of the Admin Diary read the article: Journaling vo Sysadmins: Admin Diary.
Univention Directory Reports: Reports as CSV and PDF
Thanks to Univention Directory Reports, predefined reports on any objects managed in the directory service are available. UCS admins create such reports in CSV or PDF format directly via the Univention Management Console or with the command line tool
univention-directory-reports on Shell. The reports can be used as an inventory (PDF) or as an import source for other programs (CSV), for example, to list users with certain attributes or to read a list of accounts into an external school administration software.
In the UMC, you can find the function either via Users / User, Users / Groups or via Devices / Computers. Select one or more objects in the list and then open the menu MORE. There, you select the entry Create Report and then decide on an output format (CSV or PDF).
There are six different templates (three for CSV files and three for PDF documents) that define the layout and structure of the reports. The templates for PDF reports are in RML format and use placeholders that will be replaced by the values from the LDAP directory.
It is possible to set up your own templates and thus generate, for example, very detailed reports or just simple address lists. If you edit CSV templates with a text editor like vi, you have to execute the command
perl -pi -e 'chomp if eof' <name of the template file> afterwards to remove characters that were automatically created by the editor. The UCR variables directory/reports/templates/csv/[…] and directory/reports/templates/pdf/[…] determine which template is used for the report on users, groups, and computers. It is also possible to replace the logo from the header of the PDF report (variable directory/reports/logo). Here, you can define your own image in JPG, PNG or GIF format; it will automatically be scaled to a fixed width of 5 cm.
The default settings define that the reports are kept for twelve hours. Afterwards they are deleted by a cron job. You can configure the duration by adjusting the UCR variable directory/reports/cleanup/age and entering the maximum age of the reports in seconds. You can also specify when the cron job runs for cleaning (variable directory/reports/cleanup/cron). The entry must be made in cron syntax (man crontab).
As mentioned above, you can also create the reports on Shell using the command line tool
univention-directory-reports. The tool does not have a man page, but with the
--help switch you can display an overview of all available parameters and options.
As you can see, there are many ways to create reports and filter out information about the systems, users and groups in your UCS domain. Whether it is about audit-proof protocols of the directory service, a graphical overview with note function or fully automatically generated reports and inventory lists: Univention Corporate Server has the right tools on board.