Log LDAP queries

I would like to log all LDAP queries to a domain controller over a 24h period. What's the best approach? I'm looking for the content of the queries, not just the source.
LVL 3
albatros99Asked:
Who is Participating?
 
eSourceONEConnect With a Mentor Commented:
You could use portmirroring and tools like wireshark to monitor traffic on LDAP port 389.
This will only monitor the unencrypted traffic though. If your clients / software use LDAP over SSL you will see traffic on port 636 but won't be able to see the contents.

You should also read this:
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx

and this:
http://technet.microsoft.com/en-us/library/cc961809.aspx

and see if you can get ADS to log the queries in the windows security logs.

Hope this helps.

Best regards,

Lars
0
 
miller3773Network AdministratorCommented:
Netmon from Microsoft will also work and you can isolate only LDAP traffic.
0
 
albatros99Author Commented:
I ended up changing the following two keys:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics
"15 Field Engineering" set to 5 (default is 0)
 
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\
Expensive Search Results Threshold:DWORD set to 1

The information ends up in the Directory Service Log.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.