Security

Why is Splunk DNS for LDAP very frequently (20 times a minute) and how do we resolve this?

cliffton_merz
Explorer

In our Splunk instance, we have noticed as soon as we set up our new LDAP environment, we are seeing Splunk query DNS for the LDAP location about 20 times a minute.

This was the first way we have seen that the Splunk servers hitting our LDAP servers at a high rate. Splunk is hitting Active Directory many times, more frequently than any other application that we have LDAP enabled for authentication. We would like to lessen the strain on the LDAP servers as this seems to be an abnormal amount of queries to Active Directory.

Has anyone else noticed this and may have came up with a way to resolve this issue?

0 Karma
1 Solution

cliffton_merz
Explorer

Just wanted to reply to this with what the issue was.

Turned out to be an employee that was no longer with the company had some real time searches running. This was causing authentication errors with LDAP every time it tried to run.

View solution in original post

cliffton_merz
Explorer

Just wanted to reply to this with what the issue was.

Turned out to be an employee that was no longer with the company had some real time searches running. This was causing authentication errors with LDAP every time it tried to run.

masonmorales
Influencer

Is this using just LDAP authentication or do you have the "Splunk Supporting Add-on for Active Directory" installed? (If the latter, where is it installed and what version?)

0 Karma

cliffton_merz
Explorer

This was seen when configuring LDAP for Authentication.

But we do have the Splunk Supporting Add-on for Active Directory SA-ldapsearch 2.0.1
on the search heads.

We are currently on:

Splunk Version
6.2.2
Splunk Build
255606

0 Karma

masonmorales
Influencer

TBH I would recommend a support case. They are probably going to recommend you upgrade to 6.3.3 first though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...