Secure LDAP log events

Review LDAP operations for the Secure LDAP service

Depending on your Google Workspace edition, you might have access to the security investigation tool, which has more advanced features. For example, super admins can identify, triage, and take action on security and privacy issues. Learn more

As your organization's administrator, you can run searches and take action on LDAP log events. Two types of log events are available for the Secure LDAP service:

Run a search for log events

Your ability to run a search depends on your Google edition, your administrative privileges, and the data source. You can run a search on all users, regardless of their Google Workspace edition.

Attribute descriptions

For this data source, you can use the following attributes when searching log event data:

Attribute Description
Actor Email address of the user who performed the action
Actor group name

Group name of the actor. For more information, go to Filtering results by Google Group.

To add a group to your filtering groups allowlist:

  1. Select Actor group name.
  2. Click Filtering groups.
    The Filtering groups page displays.
  3. Click Add Groups.
  4. Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
  5. (Optional) To add another group, search for and select the group.
  6. When you finish selecting groups, click Add.
  7. (Optional) To remove a group, click Remove group .
  8. Click Save.
Actor organizational unit Organizational unit of the actor
Application ID LDAP application ID for which the Secure LDAP protocol request is mapped
Application name LDAP application name for which the Secure LDAP protocol request is mapped
Attributes Secure LDAP search query attributes
Base object Base object (organizational unit) to query for users
Connection ID Secure LDAP request connection ID
Date Date and time of the event (displayed in your browser's default time zone)
Deref aliases Indicator to specify whether or not aliases are dereferenced during a Secure LDAP search operation
Dropped attributes List of attributes dropped as part of a Secure LDAP search query response
Event The logged event action, such as Bind Failed, Search Successful, or Unbind
Filter LDAP search query filter
IP address Internet Protocol (IP) address associated with the logged action 
Is types only LDAP search request filter to return types only
Message ID LDAP search request filter to return types only
Name Name of the principle behind an LDAP bind request
Request controls Comma-separated list of all other request parameters received in an LDAP protocol request apart from connection ID, message ID, and search query
Result code Code generated from the Secure LDAP search results
Result controls Comma-separated list of all parameters sent in an LDAP protocol response apart from connection ID, message ID, and search query
Scope Secure LDAP search query scope
Size limit Secure LDAP search query response size limit
Time limit Secure LDAP search query latency time limit
Version Version of the LDAP protocol that's being called in the bind operation

Note: If you gave a user a new name, you will not see query results with the user's old name. For example, if you rename OldName@example.com to NewName@example.com, you will not see results for events related to OldName@example.com.

Manage log event data

Take action based on search results

Manage your investigations

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

Was this helpful?

How can we improve it?
8534246686991689198
true
Search Help Center
true
true
true
true
true
73010
false
Search
Clear search
Close search
Main menu
false