You can use the audit and investigation page to run searches related to LDAP log events. Two types of log events are available for the Secure LDAP service:
- Admin log events (for information, go to Admin log events)
- LDAP log events
For a full list of services and activities that you can investigate, such as Google Drive or user activity, read through the data sources for the audit and investigation page.
Open the audit and investigation page
- On the left, click ReportingAudit and investigationSecure LDAP log events.
Filter the data
- Open the log events as described above in Access Secure LDAP log event data.
- Click Add a filter, and then select an attribute.
- In the pop-up window, select an operatorselect a valueclick Apply.
(Optional) To create multiple filters for your search:
- Click Add a filter and repeat step 3.
- (Optional) To add a search operator, above Add a filter, select AND or OR.
- Click Search.
Note: Using the Filter tab, you can include simple parameter and value pairs to filter the search results. You can also use the Condition builder tab, where the filters are represented as conditions with AND/OR operators.
For this data source, you can use the following attributes when searching log event data:
|Actor||Email address of the user who performed the action|
|Actor group name||Group name of the actor|
|Actor organizational unit||Organizational unit of the actor|
|Application ID||LDAP application ID for which the Secure LDAP protocol request is mapped|
|Application name||LDAP application name for which the Secure LDAP protocol request is mapped|
|Attributes||Secure LDAP search query attributes|
|Base object||Base object (organizational unit) to query for users|
|Connection ID||Secure LDAP request connection ID|
|Date||Date and time of the event (displayed in your browser's default time zone)|
|Deref aliases||Indicator to specify whether or not aliases are dereferenced during a Secure LDAP search operation|
|Dropped attributes||List of attributes dropped as part of a Secure LDAP search query response|
|Event||The logged event action, such as Bind Failed, Search Successful, or Unbind|
|Filter||LDAP search query filter|
|IP address||Internet Protocol (IP) address associated with the logged action|
|Is types only||LDAP search request filter to return types only|
|Message ID||LDAP search request filter to return types only|
|Name||Name of the principle behind an LDAP bind request|
|Request controls||Comma-separated list of all other request parameters received in an LDAP protocol request apart from connection ID, message ID, and search query|
|Result code||Code generated from the Secure LDAP search results|
|Result controls||Comma-separated list of all parameters sent in an LDAP protocol response apart from connection ID, message ID, and search query|
|Scope||Secure LDAP search query scope|
|Size limit||Secure LDAP search query response size limit|
|Time limit||Secure LDAP search query latency time limit|
|Version||Version of the LDAP protocol that's being called in the bind operation|
Manage log event data
Manage search results column data
You can control which data columns appear in your search results.
- At the top-right of the search results table, click Manage columns .
- (Optional) To remove current columns, click Remove .
- (Optional) To add columns, next to Add new column, click the Down arrow and select the data column.
Repeat as needed.
- (Optional) To change the order of the columns, drag the data column names.
- Click Save.
Export search result data
- At the top of the search results table, click Export all.
- Enter a name click Export.
The export displays below the search results table under Export action results.
- To view the data, click the name of your export.
The export opens in Google Sheets.
Create reporting rules
When and how long is data available?
Go to Data retention and lag times.