We have been dealing with the fact that twice a day we have a heavily loaded LDAP server that manages user accounts in the Unix world.
The situation occurs regularly every day around 8:30 in the morning and 8:30 in the evening, when the LDAP is overwhelmed with requests and the response time multiplies. The condition lasts around 20 minutes, then returns to normal.
This has a direct effect on the response times when logging into the servers, and in fact on everything that reaches for user data in general - so it is possible that it more or less affects the operation of applications.
By quickly checking out a few servers at the "problem" time it seems auditbeat is the cause as the timestamps correlates with pooling of "event.category: iam".
Is it possible to distribute auditbeat (user) queries randomly per server so the whole infrastructure won't DDOS LDAP server?
ie:
# How often datasets send state updates with the
# current state of the system (e.g. all currently
# running processes, all open sockets).
state.period: 12h -> "randomly 1x per day" or "randomly 1x per week"
thank you
- jindrich