Hi there,

I need to gather login and logout eventas from eDirectory and have
started with the most obvious search expression:

(((pn:"NetIQ eDirectory") AND (evt:"Login")) OR ((pn:"NetIQ eDirectory")
AND (evt:"Logout")))

But the result is far from what I expected. Lots of duplicated login
events and almost none logout events.

Ive played around with several search expressions and I ended up with
the following one:

((pn:"NetIQ eDirectory") AND (evt:"Login") AND
(xdastaxname:"XDAS_AE_CREATE_SESSION") NOT (sip:"") NOT
(sip:"") NOT (evtgrpid:"00000000")) OR ((pn:"NetIQ eDirectory")
AND (evt:"Delete Value") AND (attr:"Network Address")) is the IP addres of eDirectory server.

This is the best I could get so far.

Login show up as Login events and logout show up as Delete Value
(Message: A value has been removed from the attribute Network Address on
the object user.context)

I wonder what search expressions you guys are using for this kind of


gergull's Profile: https://forums.netiq.com/member.php?userid=208
View this thread: https://forums.netiq.com/showthread.php?t=55377