What to Monitor

Monitor the directory service for the following reasons:

  • Noticing availability problems as they occur.

    If a server becomes unresponsive, goes offline, or crashes, you discover the problem quickly, and take corrective action.

  • Identifying how client applications use the directory service.

    You can parse directory access logs to determine what client applications do. This information helps you understand what is most important, and make decisions about indexing, for example.

    Access log messages can also provide evidence of security threats, and traces of insecure client application behavior.

  • Spotting performance problems, where the directory service does not meet habitual, expected, or formally defined functional, throughput, or response time characteristics.

    For example, if it suddenly becomes impossible to perform updates, the directory service has a performance problem. Alternatively, if a search that regularly completes in 500 milliseconds now takes 15 seconds, the directory service has a performance problem.

    A performance problem could also be evidence of a security threat.

Monitoring directory security is thus part of an overall monitoring strategy. Aim to answer at least the following questions when monitoring specifically for security problems:

  • What insecure client behaviors do you observe?

    Examples:

    • Attempts to send simple bind credentials over insecure connections

    • Attempts to change passwords over insecure connections

    • Attempts to change configuration over insecure connections

  • What unusual or unexpected usage patterns do you observe?

    Examples:

    • Search requests that perform unindexed searches

    • Requests that hit resource limits

    • Unusually large numbers of bind requests that fail

    • Unusual large numbers of password change requests that fail

    • Unusual large numbers of account lockout events

  • Are you observing any sudden or hard-to-explain performance problems?

    Examples:

    • Unusual increases in throughput

    • Unusual increases in response times for typical requests

    • Servers suddenly starved for system resources

Keep in mind when you see evidence of what looks like a security problem that it might be explained by a mistake made by an administrator or an application developer. Whether the problem is due to malice or user error, you can nevertheless use monitoring information to guide corrective actions.