All Apps and Add-ons

SA-ldapsearch issue?

dhorn
Path Finder

I am working to set up a POC of Splunk with Active Directory, and so far have the UF installed on one DC. Data is coming in, lots of data in fact, and everything seems to be working except for some of the reports. I believe it's related to pulling information from LDAP that isn't working, and I'm unsure why.

For example, Security > Audit > User Audit

As soon as I open this report, I get two notification bars at the top. The first is:
[subsearch]: No matching fields exist

and the second is:
No matching fields exist

and no data will load in this report, except for Failed Logon Activity. No matter what user I search for, or even without typing in a user, this is the behavior that I am getting.

I have the same issue on the Computer Audit report, as well, and I'd assume all the audit related reports.

I've checked the SA-ldapsearch log, which has nothing in it. What other logs should I be looking in?

0 Karma

dhorn
Path Finder

Solved my issue.

My binddn value was incorrect. 🙂

0 Karma

imarks004
Path Finder

Did you install and configure the standalone SA-LDAP app? If so, check your AD logs to see if the user you are using to bind with is even authenticating.

0 Karma

dhorn
Path Finder

I do not have access to view AD logs, so I won't be able to check on this for another hour or so.

Something odd has happened though; SA-ldapsearch.log is not in English, but instead in some sort of symbols. Chinese maybe?

Is there any other log files that I should be looking to for this?

0 Karma

imarks004
Path Finder

Sorry, I just short the name off the top of my head, I was talking about the SA-ldapsearch app. Do you see anything in your AD logs showing this app authenticating with the user you configured in local/ldap.conf file?

0 Karma

dhorn
Path Finder

I'm not familiar with the SA-ldap app, actually, so I don't think I have it installed. I have SA-ldapsearch, though.

Can you provide me a link to it so I can install it?

Does my issue sound like it's authentication related?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!