In our Splunk instance, we have noticed as soon as we set up our new LDAP environment, we are seeing Splunk query DNS for the LDAP location about 20 times a minute.
This was the first way we have seen that the Splunk servers hitting our LDAP servers at a high rate. Splunk is hitting Active Directory many times, more frequently than any other application that we have LDAP enabled for authentication. We would like to lessen the strain on the LDAP servers as this seems to be an abnormal amount of queries to Active Directory.
Has anyone else noticed this and may have came up with a way to resolve this issue?
Just wanted to reply to this with what the issue was.
Turned out to be an employee that was no longer with the company had some real time searches running. This was causing authentication errors with LDAP every time it tried to run.
Just wanted to reply to this with what the issue was.
Turned out to be an employee that was no longer with the company had some real time searches running. This was causing authentication errors with LDAP every time it tried to run.
Is this using just LDAP authentication or do you have the "Splunk Supporting Add-on for Active Directory" installed? (If the latter, where is it installed and what version?)
This was seen when configuring LDAP for Authentication.
But we do have the Splunk Supporting Add-on for Active Directory SA-ldapsearch 2.0.1
on the search heads.
We are currently on:
Splunk Version
6.2.2
Splunk Build
255606
TBH I would recommend a support case. They are probably going to recommend you upgrade to 6.3.3 first though.