Skip to content

Integrate logs with a SIEM for event correlation and monitoring.

389-IRM-002 - severity: high

Field Value
Control ID 389-IRM-002
Severity high
Type preventive
Owner IT Operations
Status authored
NIST 800-53 AU-6, SI-4
DISA SRG SRG-APP-000358, SRG-APP-000360

Rationale

A SIEM correlates directory events with signals from across the environment - network flows, host logs, application events - enabling detection of multi-stage attacks that no single log stream can reveal. An attacker who first exploits a network service, then pivots to the directory to harvest credentials or escalate privilege, leaves evidence scattered across multiple sources; only centralised correlation can connect those dots in time to intervene. Local log files on the directory server host are also vulnerable to tampering or deliberate deletion if that host is compromised, making an independent, append-only receiver critical for maintaining evidence integrity during an investigation. NIST SP 800-53 AU-6 requires review, analysis, and reporting of audit records, which at meaningful scale requires a centralised log management capability; SI-4 requires monitoring for attacks and indicators of compromise, which is operationally impossible without event correlation across sources.

Check

Confirm an rsyslog (or equivalent) rule is shipping directory server logs to the SIEM.

grep -r dirsrv /etc/rsyslog.d/ 2>/dev/null

Remediation

Forward the directory server logs to the SIEM and confirm events arrive.

# OS-level: forward /var/log/dirsrv/slapd-<instance>/ logs to the SIEM (rsyslog/agent),
# then verify events arrive in the SIEM. Example rsyslog forwarding lives in 389-LM-003.
systemctl restart rsyslog

References

Implementation Notes

This is an OS/SIEM integration control; there are no dsconf attributes to set. The check command looks for an rsyslog drop-in rule that references the dirsrv log path; if using a vendor agent (Splunk UF, Elastic Agent, etc.) inspect the agent configuration instead.

Protect the log transport with TLS syslog (omfwd with StreamDriver=gtls in rsyslog, or agent-native TLS) to prevent interception or spoofing in transit. Before declaring this control satisfied, validate that the SIEM correctly parses 389DS access log and audit log formats - both use non-standard line structures that may require a custom parser or index-time extraction rules. Anomalous-bind detection rules built on top of these forwarded events are covered in 389-IRM-003.