All Apps and Add-ons

Lastlog.sh Generating Numerous AD Audit Failure Logs

jodros
Builder

I recently installed the *nix app along with the Splunk_TA_nix on all search peers. Recently I noticed an increase in AD logs. I researched it and it appears that the increased started soon after I loaded the *nix app and Splunk_TA_nix. Further investigation points to the lastlog.sh script being the culprit.

The lastlog.sh script runs every 5 minutes and normally completes within 800 milliseconds. On occasion, it takes upwards of 30 seconds! Correlating the time when this happens shows that particular Splunk server generating thousands of wineventlog:security eventcode=4662 showing audit failure with operation properties "Default Property Set unixUserPassword". The objects appear to be EVERY OBJECT in AD starting in alphabetical order. This is just slightly alarming. Disabling the lastlog.sh script on a server as a test stopped the AD log events for that specific server.

A bit of background with our environment, we are running Centrify to integrate our RHEL 5.9 x64 bit servers with AD. We are seeing this from both physical and virtual servers with the lastlog.sh script running.

Anyone know why this might be happening? Why would the lastlog.sh script run fine several times, then take 30+ seconds and try to comb the entire AD tree? I don't know enough about the script and would like to tweak it to keep it enabled, but I would rather disable that input if it is going to generate these logs against AD.

Any assistance would be appreciated.

0 Karma
1 Solution

jodros
Builder

After doing a bit more research, this has something to do with the "lastlog" command and the Centrifydc client. It appears that when the lastlog command is run, either by the Splunk_TA_nix lastlog.sh script, or manually, Centrifydc will sweep the AD tree if the cache is stale.

Since we still want the lastlog events, we just tuned the interval back so as to not generate as many AD logs.

If anyone else has any suggestions or experience with Centrifydc and the lastlog command, let me know.

Thanks

View solution in original post

0 Karma

jodros
Builder

After doing a bit more research, this has something to do with the "lastlog" command and the Centrifydc client. It appears that when the lastlog command is run, either by the Splunk_TA_nix lastlog.sh script, or manually, Centrifydc will sweep the AD tree if the cache is stale.

Since we still want the lastlog events, we just tuned the interval back so as to not generate as many AD logs.

If anyone else has any suggestions or experience with Centrifydc and the lastlog command, let me know.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...