LDAP load while auditbeat collects event.category iam

We have been dealing with the fact that twice a day we have a heavily loaded LDAP server that manages user accounts in the Unix world.

The situation occurs regularly every day around 8:30 in the morning and 8:30 in the evening, when the LDAP is overwhelmed with requests and the response time multiplies. The condition lasts around 20 minutes, then returns to normal.

This has a direct effect on the response times when logging into the servers, and in fact on everything that reaches for user data in general - so it is possible that it more or less affects the operation of applications.

By quickly checking out a few servers at the "problem" time it seems auditbeat is the cause as the timestamps correlates with pooling of "event.category: iam".

image

image

Is it possible to distribute auditbeat (user) queries randomly per server so the whole infrastructure won't DDOS LDAP server?

ie:

  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 12h -> "randomly 1x per day" or "randomly 1x per week"

thank you

  • jindrich

I don't think that there is a quick option to adjust it, which isn't a hack. Could you please double-check if this is the audiobeat? For example, rescheduling its execution. If you can confirm the problem, you can open an issue for Beats.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.