topic Re: splunkd.log error message in Security

splunkd.log error message

fuster_j — Fri, 01 Jun 2012 21:36:04 GMT

Hi,

I have this error message repeats twice every 5 seconds in splunkd.log: "ERROR AuthenticationManagerLDAP - Could not find user: abc" Where can I track down this misconfiguration?

thanks!

Re: splunkd.log error message

dshpritz — Sat, 02 Jun 2012 19:58:55 GMT

When I have seen this in the past it is because there are entries in the metadata files which are referring to the user. If you search the local.meta files for the username, you should be able to find it. So on a Linux host:

find /opt/splunk/ -name local.meta -exec grep abc {} \; -print

HTH,

Dave

Re: splunkd.log error message

fuster_j — Sun, 03 Jun 2012 00:30:57 GMT

Very Cool! Thank you! I used:

find /opt/splunk -name local.meta -exec grep "abc" {} \; -print
It found the bad user ID.

Re: splunkd.log error message

tmarlette — Tue, 26 Jan 2016 18:39:45 GMT

ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="MyLDAPStrategy"
ERROR UserManagerPro - Failed to get LDAP user="nobody" from any configured servers

on RHEL I used this process successfully to remove the above errors that were spamming my splunkd.log:

disabled 'learned' app (adds KO's with user='nobody' as owner)
stop splunk service
look for zombie'd users:

find /opt/splunk -name local.meta -exec grep -H 'nobody' {} \;^C
replace zombie'd users with 'admin'

find /opt/splunk -name local.meta -exec sed -i 's/owner = nobody/owner = admin/g' {} \;
start splunk service

Re: splunkd.log error message

neelamsantosh — Tue, 03 May 2016 08:12:48 GMT

Thanks tmarlette ·

Re: splunkd.log error message

wrangler2x — Wed, 16 Aug 2017 17:11:08 GMT

Cool idea on converting nobody to admin!

If you just want a list of what apps have a nobody in local.meta, try this:

find /opt/splunk/ -name local.meta -exec grep nobody {} \; -print | grep / | sed 's/.*\/apps\///; s/\/metadata\/local.meta//'

Re: splunkd.log error message

andrewlorien — Fri, 29 Jun 2018 01:46:30 GMT

Thanks for the find+sed, very helpful.
But the error for me is

Could not find user "system"

, and there is an owner = splunk-system-user but no owner = system

Re: splunkd.log error message

wrangler2x — Fri, 29 Jun 2018 15:46:15 GMT

Related -- this will find orphaned saved searches/alerts:

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

Re: splunkd.log error message

woodcock — Sun, 01 Jul 2018 04:03:01 GMT

Be sure to click Accept to close the question.

Re: splunkd.log error message

morethanyell — Tue, 20 Aug 2019 01:26:00 GMT

The solution to mine was to have all scheduled savedsearches to be owned by a service account / savedsearch runner account.