- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Lastlog.sh Generating Numerous AD Audit Failure Lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently installed the *nix app along with the Splunk_TA_nix on all search peers. Recently I noticed an increase in AD logs. I researched it and it appears that the increased started soon after I loaded the *nix app and Splunk_TA_nix. Further investigation points to the lastlog.sh script being the culprit.
The lastlog.sh script runs every 5 minutes and normally completes within 800 milliseconds. On occasion, it takes upwards of 30 seconds! Correlating the time when this happens shows that particular Splunk server generating thousands of wineventlog:security eventcode=4662 showing audit failure with operation properties "Default Property Set unixUserPassword". The objects appear to be EVERY OBJECT in AD starting in alphabetical order. This is just slightly alarming. Disabling the lastlog.sh script on a server as a test stopped the AD log events for that specific server.
A bit of background with our environment, we are running Centrify to integrate our RHEL 5.9 x64 bit servers with AD. We are seeing this from both physical and virtual servers with the lastlog.sh script running.
Anyone know why this might be happening? Why would the lastlog.sh script run fine several times, then take 30+ seconds and try to comb the entire AD tree? I don't know enough about the script and would like to tweak it to keep it enabled, but I would rather disable that input if it is going to generate these logs against AD.
Any assistance would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After doing a bit more research, this has something to do with the "lastlog" command and the Centrifydc client. It appears that when the lastlog command is run, either by the Splunk_TA_nix lastlog.sh script, or manually, Centrifydc will sweep the AD tree if the cache is stale.
Since we still want the lastlog events, we just tuned the interval back so as to not generate as many AD logs.
If anyone else has any suggestions or experience with Centrifydc and the lastlog command, let me know.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After doing a bit more research, this has something to do with the "lastlog" command and the Centrifydc client. It appears that when the lastlog command is run, either by the Splunk_TA_nix lastlog.sh script, or manually, Centrifydc will sweep the AD tree if the cache is stale.
Since we still want the lastlog events, we just tuned the interval back so as to not generate as many AD logs.
If anyone else has any suggestions or experience with Centrifydc and the lastlog command, let me know.
Thanks
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
