Red Hat Training

A Red Hat training course is available for Red Hat Directory Server

Chapter 7. Log File Reference

Red Hat Directory Server (Directory Server) provides logs to help monitor directory activity. Monitoring helps quickly detecting and remedying failures and, where done proactively, anticipating and resolving potential problems before they result in failure or poor performance. Part of monitoring the directory effectively is understanding the structure and content of the log files.
This chapter does not provide an exhaustive list of log messages. However, the information presented in this chapter serves as a good starting point for common problems and for better understanding the information in the access, error, and audit logs.
Logs are kept per Directory Server instances and are located in the /var/log/dirsrv/slapd-instance directory.

7.1. Access Log Reference

The Directory Server access log contains detailed information about client connections to the directory. A connection is a sequence of requests from the same client with the following structure:
  • Connection record, which gives the connection index and the IP address of the client.
  • Bind record.
  • Bind result record.
  • Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed, and abandon records).
  • Unbind record.
  • Closed record.
Every line begins with a timestamp — [21/Apr/2020:11:39:51 -0700] — the format of which may vary depending on the platform. -0700 indicates the time difference in relation to GMT. Apart from the connection, closed, and abandon records, which appear individually, all records appear in pairs, consisting of a request for service record followed by a result record. These two records frequently appear on adjacent lines, but this is not always the case.


Directory Server provides a script,, which can analyze access logs to extract usage statistics and count the occurrences of significant events. For details about this script, see Section 10.4.10, “ (Log Converter)”.

7.1.1. Access Logging Levels

Different levels of access logging generate different amounts of detail and record different kinds of operations. The log level is set in the instance's nsslapd-accesslog-level (Access Log Level) configuration attribute. The default level of logging is level 256, which logs access to an entry, but there are five different log levels available:
  • 0 = No access logging.
  • 4 = Logging for internal access operations.
  • 256 = Logging for access to an entry.
  • 512 = Logging for access to an entry and referrals.
This levels are additive, so to enable several different kinds of logging, add the values of those levels together. For example, to log internal access operations, entry access, and referrals, set the value of nsslapd-accesslog-level to 516 (512+4).

7.1.2. Default Access Logging Content

This section describes the access log content in detail based on the default access logging level extract shown below.

Example 7.1. Example Access Log

[21/Apr/2020:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
[21/Apr/2020:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2020:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2020:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(mobile=+1 123 456-7890)"
[21/Apr/2020:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U
[21/Apr/2020:11:39:51 -0700] conn=11 op=2 UNBIND
[21/Apr/2020:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1
[21/Apr/2020:11:39:52 -0700] conn=12 fd=634 slot=634 connection from to
[21/Apr/2020:11:39:52 -0700] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2020:11:39:52 -0700] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2020:11:39:52 -0700] conn=12 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)"
[21/Apr/2020:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0
[21/Apr/2020:11:39:52 -0700] conn=12 op=3 UNBIND
[21/Apr/2020:11:39:52 -0700] conn=12 op=3 fd=634 closed - U1
[21/Apr/2020:11:39:53 -0700] conn=13 fd=659 slot=659 connection from to
[21/Apr/2020:11:39:53 -0700] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[21/Apr/2020:11:39:53 -0700] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0
[21/Apr/2020:11:39:53 -0700] conn=13 op=1 EXT oid="2.16.840.1.113730.3.5.3"
[21/Apr/2020:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120 nentries=0 etime=0
[21/Apr/2020:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2020,dc=example,dc=com"
[21/Apr/2020:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000
[21/Apr/2020:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5"
[21/Apr/2020:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0
[21/Apr/2020:11:39:53 -0700] conn=13 op=4 UNBIND
[21/Apr/2020:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1
[21/Apr/2020:11:39:55 -0700] conn=14 fd=700 slot=700 connection from to
[21/Apr/2020:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2020:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[21/Apr/2020:11:39:55 -0700] conn=14 op=1 BIND dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2020:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"
[21/Apr/2020:11:39:55 -0700] conn=14 op=2 UNBIND
[21/Apr/2020:11:39:53 -0700] conn=14 op=2 fd=700 closed - U1
Connection Number

Every external LDAP request is listed with an incremental connection number, in this case conn=11, starting at conn=0 immediately after server startup.

[21/Apr/2020:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
Internal LDAP requests are not recorded in the access log by default. To activate the logging of internal access operations, specify access logging level 4 on the nsslapd-accesslog-level (Access Log Level) configuration attribute.
File Descriptor

Every connection from an external LDAP client to Directory Server requires a file descriptor or socket descriptor from the operating system, in this case fd=608. fd=608 indicates that it was file descriptor number 608 out of the total pool of available file descriptors which was used.

[21/Apr/2020:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
Slot Number

The slot number, in this case slot=608, is a legacy part of the access log which has the same meaning as file descriptor. Ignore this part of the access log.

[21/Apr/2020:11:39:51 -0700] conn=11 fd=608 slot=608 connection from to
Operation Number

To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with op=0 to identify the distinct operations being performed.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
In Section 7.1.2, “Default Access Logging Content”, we have op=0 for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. The entry op=-1 in the access log generally means that the LDAP request for this connection was not issued by an external LDAP client but, instead, initiated internally.
Method Type

The method number, in this case method=128, indicates which LDAPv3 bind method was used by the client.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
There are three possible bind method values:
  • 0 for authentication
  • 128 for simple bind with user password
  • sasl for SASL bind using external authentication mechanism
Version Number

The version number, in this case version=3, indicates the LDAP version number (either LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
Error Number

The error number, in this case err=0, provides the LDAP result code returned from the LDAP operation performed. The LDAP error number 0 means that the operation was successful. For a more comprehensive list of LDAP result codes, see Section 7.4, “LDAP Result Codes”.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
Tag Number

The tag number, in this case tag=97, indicates the type of result returned, which is almost always a reflection of the type of operation performed. The tags used are the BER tags from the LDAP protocol.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0

Table 7.1. Commonly-Used Tags

Tag Description
tag=97 Result from a client bind operation.
tag=100 The actual entry being searched for.
tag=101 Result from a search operation.
tag=103 Result from a modify operation.
tag=105 Result from an add operation.
tag=107 Result from a delete operation.
tag=109 Result from a moddn operation.
tag=111 Result from a compare operation.
tag=115 Search reference when the entry on which the search was performed holds a referral to the required entry. Search references are expressed in terms of a referral.
tag=120 Result from an extended operation.
tag=121 Result from an intermediate operation.


tag=100 and tag=115 are not result tags as such, and so it is unlikely that they will be recorded in the access log.
Number of Entries

nentries shows the number of entries, in this case nentries=0, that were found matching the LDAP client's request.

[21/Apr/2020:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
Elapsed Time

etime shows the elapsed time, in this case etime=3, or the amount of time (in seconds) that it took the Directory Server to perform the LDAP operation.

[21/Apr/2020:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U
An etime value of 0 means that the operation actually took 0 nanoseconds to perform.
LDAP Request Type

The LDAP request type indicates the type of LDAP request being issued by the LDAP client. Possible values are:

  • SRCH for search
  • MOD for modify
  • DEL for delete
  • ADD for add
  • MODDN for moddn
  • EXT for extended operation
  • ABANDON for abandon operation
If the LDAP request resulted in sorting of entries, then the message SORT serialno will be recorded in the log, followed by the number of candidate entries that were sorted. For example:
[04/May/2020:15:51:46 -0700] conn=114 op=68 SORT serialno (1)
The number enclosed in parentheses specifies the number of candidate entries that were sorted, which in this case is 1.
LDAP Response Type

The LDAP response type indicates the LDAP response being issued by the LDAP client. There are three possible values:

  • REFERRAL, an LDAP referral or search reference
Search Indicators

Directory Server provides additional information on searches in the notes field of log entries. For example:

[21/Apr/2016:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U
The following search indicators exist:
Paged Search Indicator: notes=P
LDAP clients with limited resources can control the rate at which an LDAP server returns the results of a search operation. When the search performed used the LDAP control extension for simple paging of search results, Directory Server logs the notes=P paged search indicator. This indicator is informational and no further actions are required.
For more details, see RFC 2696.
Unindexed Search Indicators: notes=A and notes=U
When attributes are not indexed, Directory Server must search them in the database directly. This procedure is more resource-intensive than searching the index file.
The following unindexed search indicators can be logged:
  • notes=A
    All candidate attributes in the filter were unindexed and a full table scan was required. This can exceed the value set in the nsslapd-lookthroughlimit parameter.
  • notes=U
    This state is set in the following situations:
Unindexed searches occur in the following scenarios:
  • The nsslapd-idlistscanlimit parameter's value was reached within the index file used for the search.
  • No index file existed.
  • The index file was not configured in the way required by the search.
To optimize future searches, add frequently searched unindexed attributes to the index. For details, see the corresponding section in the Directory Server Administration Guide.


An unindexed search indicator is often accompanied by a large etime value, as unindexed searches are generally more time consuming.
Beside a single value, the notes field can have the following value combinations: notes=P,A and notes=U,P.
VLV-Related Entries

When a search involves virtual list views (VLVs), appropriate entries are logged in the access log file. Similar to the other entries, VLV-specific entries show the request and response information side by side:

VLV RequestInformation ResponseInformation
RequestInformation has the following form:
If the client uses a position-by-value VLV request, the format for the first part, the request information would be beforeCount: afterCount: value.
ResponseInformation has the following form:
targetPosition:contentCount (resultCode)
The example below highlights the VLV-specific entries:
[07/May/2020:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)"
[07/May/2020:11:43:29 -0700] conn=877 op=8530 SORT uid
[07/May/2020:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 (0)
[07/May/2020:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101 nentries=1 etime=0
In the above example, the first part, 0:5:0210, is the VLV request information:
  • The beforeCount is 0.
  • The afterCount is 5.
  • The value is 0210.
The second part, 10:5397 (0), is the VLV response information:
  • The targetPosition is 10.
  • The contentCount is 5397.
  • The (resultCode) is (0).
Search Scope

The entry scope=n defines the scope of the search performed, and n can have a value of 0, 1, or 2.

  • 0 for base search
  • 1 for one-level search
  • 2 for subtree search
Extended Operation OID

An extended operation OID, such as EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5" in Example 7.1, “Example Access Log”, provides the OID of the extended operation being performed. Table 7.2, “LDAPv3 Extended Operations Supported by Directory Server” provides a partial list of LDAPv3 extended operations and their OIDs supported in Directory Server.

Table 7.2. LDAPv3 Extended Operations Supported by Directory Server

Extended Operation Name Description OID
Directory Server Start Replication Request Sent by a replication initiator to indicate that a replication session is requested. 2.16.840.1.113730.3.5.3
Directory Server Replication Response Sent by a replication responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation. 2.16.840.1.113730.3.5.4
Directory Server End Replication Request Sent to indicate that a replication session is to be terminated. 2.16.840.1.113730.3.5.5
Directory Server Replication Entry Request Carries an entry, along with its state information (csn and UniqueIdentifier) and is used to perform a replica initialization. 2.16.840.1.113730.3.5.6
Directory Server Bulk Import Start Sent by the client to request a bulk import together with the suffix being imported to and sent by the server to indicate that the bulk import may begin. 2.16.840.1.113730.3.5.7
Directory Server Bulk Import Finished Sent by the client to signal the end of a bulk import and sent by the server to acknowledge it. 2.16.840.1.113730.3.5.8
Change Sequence Number

The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication change sequence number, indicating that replication is enabled on this particular naming context.

Abandon Message

The abandon message indicates that an operation has been aborted.

[21/Apr/2020:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0
nentries=0 indicates the number of entries sent before the operation was aborted, etime=0 value indicates how much time (in seconds) had elapsed, and targetop=1 corresponds to an operation value from a previously initiated operation (that appears earlier in the access log).
There are two possible log ABANDON messages, depending on whether the message ID succeeds in locating which operation was to be aborted. If the message ID succeeds in locating the operation (the targetop) then the log will read as above. However, if the message ID does not succeed in locating the operation or if the operation had already finished prior to the ABANDON request being sent, then the log will read as follows:
[21/Apr/2020:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2
targetop=NOTFOUND indicates the operation to be aborted was either an unknown operation or already complete.
Message ID

The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the LDAP SDK client. The message ID may have a different value than the operation number but identifies the same operation. The message ID is used with an ABANDON operation and tells the user which client operation is being abandoned.

[21/Apr/2020:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2


The Directory Server operation number starts counting at 0, and, in the majority of LDAP SDK/client implementations, the message ID number starts counting at 1, which explains why the message ID is frequently equal to the Directory Server operation number plus 1.
SASL Multi-Stage Bind Logging

In Directory Server, logging for multi-stage binds is explicit. Each stage in the bind process is logged. The error codes for these SASL connections are really return codes. In Example 7.1, “Example Access Log”, the SASL bind is currently in progress so it has a return code of err=14, meaning the connection is still open, and there is a corresponding progress statement, SASL bind in progress.

[21/Apr/2020:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2020:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
In logging a SASL bind, the sasl method is followed by the LDAP Version Number and the SASL mechanism used, as shown below with the GSS-API mechanism.
[21/Apr/2020:12:57:14 -0700] conn=32 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI


The authenticated DN (the DN used for access control decisions) is now logged in the BIND result line as opposed to the bind request line, as was previously the case:
[21/Apr/2020:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"
For SASL binds, the DN value displayed in the bind request line is not used by the server and, as a consequence, is not relevant. However, given that the authenticated DN is the DN which, for SASL binds, must be used for audit purposes, it is essential that this be clearly logged. Having this authenticated DN logged in the bind result line avoids any confusion as to which DN is which.

7.1.3. Access Log Content for Additional Access Logging Levels

This section presents the additional access logging levels available in the Directory Server access log.
In Example 7.2, “Access Log Extract with Internal Access Operations Level (Level 4)”, access logging level 4, which logs internal operations, is enabled.

Example 7.2. Access Log Extract with Internal Access Operations Level (Level 4)

[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd-referral" options=persistent
[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0
[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-state"
[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0
Access log level 4 enables logging for internal operations, which log search base, scope, filter, and requested search attributes, in addition to the details of the search being performed.
In the following example, access logging level 768 is enabled (512 + 256), which logs access to entries and referrals. In this extract, six entries and one referral are returned in response to the search request, which is shown on the first line.
[12/Jul/2020:16:43:02 +0200] conn=306 fd=60 slot=60 connection from to
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 SRCH base="dc=example,dc=com" scope=2 filter="(description=*)" attrs=ALL
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Special
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=Accounting Managers,ou=groups,dc=example,dc=com"
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=HR Managers,ou=groups,dc=example,dc=com"
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=QA Managers,ou=groups,dc=example,dc=com"
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=PD Managers,ou=groups,dc=example,dc=com"
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Red Hat Servers,dc=example,dc=com"
[12/Jul/2020:16:43:02 +0200] conn=306 op=0 REFERRAL
Connection Description

The connection description, in this case conn=Internal, indicates that the connection is an internal connection. The operation number op=-1 also indicates that the operation was initiated internally.

[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"
Options Description

The options description (options=persistent) indicates that a persistent search is being performed, as distinguished from a regular search operation. Persistent searches can be used as a form of monitoring and configured to return changes to given configurations as changes occur.

Both log levels 512 and 4 are enabled for this example, so both internal access operations and entry access and referrals being logged.
[12/Jul/2020:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd-referral" options=persistent

7.1.4. Common Connection Codes

A connection code is a code that is added to the closed log message to provide additional information related to the connection closure.

Table 7.3. Common Connection Codes

Connection Code Description
A1 Client aborts the connection.
B1 Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.
B2 BER tag is longer than the nsslapd-maxbersize attribute value. For further information about this configuration attribute, see Section, “nsslapd-maxbersize (Maximum Message Size)”.
B3 Corrupt BER tag encountered.
B4 Server failed to flush data response back to client.
P2 Closed or corrupt connection has been detected.
T1 Client does not receive a result within the specified idletimeout period. For further information about this configuration attribute, see Section, “nsslapd-idletimeout (Default Idle Timeout)”.
T2 Server closed connection after ioblocktimeout period was exceeded. For further information about this configuration attribute, see Section, “nsslapd-ioblocktimeout (IO Block Time Out)”.
U1 Connection closed by server after client sends an unbind request. The server will always close the connection when it sees an unbind request.

7.1.5. Getting Access Log Statistics

The script parses the access log and returns summary information on different users and operations that have been run on the server.
At its simplest, the script simply parses the access log (or logs): /relative/path/to/accessLog
The script can accept wildcards to parse multiple access logs, which is useful if log rotation is used. /var/log/dirsrv/slapd-instance/access*
The different options for are covered in the manpage and in Section 10.4.10, “ (Log Converter)”.
There are several different ways that can be used to pull general usage information from the access logs.
At its simplest, prints a list of total operations, total number of connections, counts per each operation type, counts for some extended operations like persistent searches, and bind information.
# access

Access Log Analyzer 6.0

Command : access

Processing 1 Access Log(s)...

Filename                        Total Lines     Lines processed
access                               7                   7

----------- Access Log Output ------------

Restarts:                     0

Total Connections:            0
Peak Concurrent Connections:  1
Total Operations:             2
Total Results:                2
Overall Performance:          100.0%

Searches:                     1
Modifications:                0
Adds:                         0
Compares                      0
Deletes:                      0
Mod RDNs:                     0
Mod DNs:                      0

Persistent Searches:          0
Internal Operations:          0
Entry Operations:             0
Extended Operations:          0
Abandoned Requests:           0
Smart Referrals Received:     0

VLV Operations:               0
VLV Unindexed Searches:       0
SORT Operations:              0
SSL Connections:              0

Entire Search Base Queries:   1
Unindexed Searches:           0

FDs Taken:                    1
FDs Returned:                 1
Highest FD Taken:             64

Broken Pipes:                 0
Connections Reset By Peer:    0
Resource Unavailable:         0

Binds:                        1
Unbinds:                      1

 LDAP v2 Binds:               0
 LDAP v3 Binds:               1
 SSL Client Binds:            0
 Failed SSL Client Binds:     0
 SASL Binds:                  0

 Directory Manager Binds:     1
 Anonymous Binds:             0
 Proxy Auth Binds:            0
 Other Binds:                 0
In addition to the summary information for operations and connections, more detailed summary information for all of the connections to the server. This information includes things like most common IP addresses used to connect to the server, DNs with the most failed login attempts, total bind DNs used to access the server, and the most common error or return codes.
Additional connection summaries are passed as a single option. For example, listing the number of DNs used to connect to the server (b) and the total connection codes returned by the server (c) are passed as -bc.
# -bc access

... 8< ...

----- Total Connection Codes -----

U1              3    Cleanly Closed Connections
B1              1    Bad Ber Tag Encountered

----- Top 20 Bind DN's -----

Number of Unique Bind DN's: 212

1801            cn=Directory Manager
1297            Anonymous Binds
311             uid=jsmith,ou=people...
87              uid=bjensen,ou=peopl...
85              uid=mreynolds,ou=peo...
69              uid=jrockford,ou=peo...
55              uid=sspencer,ou=peop...
... 8< ...
The data can be limited to entries after a certain start time (-S), before a certain end time (-E), or within a range. When start and end times are set, the first prints the time range given, then the summary for that period.
# -S "[01/Jul/2012:16:11:47.000000000 -0400]" -E "[01/Jul/2012:17:23:08.999999999 -0400]" access

Access Log Analyzer 6.0

Command : -S [01/Jul/2012:16:11:47.000000000 -0400] -E [01/Jul/2012:17:23:08.999999999 -0400] access

Processing 1 Access Log(s)...

Filename                        Total Lines     Lines processed
access                              25                  20

----------- Access Log Output ------------

Start of Log:  01/Jul/2012:16:11:47

End of Log:    01/Jul/2012:17:23:08

... 8< ...
The start and end period onlys sets time limits for the data used to generate the total summary counts. It still shows aggregated, or total, counts. To get a view of the patterns in connections and operations to the Directory Server, it is possible to output data with counts per minute (-M) or per second (-m). In this case, the data are printed, in time unit increments, to a specified CSV output file.
# -m|-M outputFile accessLogFile
For example:
# -M /home/output/statsPerMin.txt /var/log/dirsrv/slapd-instance/access*
The -M|-m options can also be used with the -S and -E arguments, to get per-minute or per-second counts within a specific time period.
Each row in the file represents one unit of time, either minute or second, with total counts for that time period. The CSV file (for both per-minute and per-second statistics) contains the following columns, in order:
Time,time_t,Results,Search,Add,Mod,Modrdn,Delete,Abandon,Connections,SSL Conns,Bind,Anon Bind,Unbind,Unindexed
The CSV file can be manipulated in any spreadsheet program, like OpenOffice Calc, and in many other business applications. The procedures for importing the CSV data and generating charts or other metrics depends on the application itself.
For example, to create a chart in OpenOffice Calc:
  1. Open the CSV file.
  2. Click the Insert menu, and select Chart.
  3. In the Chart Type area, set the chart type to XY (Scatter).
    1. Set the subtype to lines only.
    2. Select the option to sort by X values.
  4. Accept the defaults in the other screens (particularly, to use the data series in columns and to set the first row and first column as labels), and create the chart.