Forum Discussion

JSmith's avatar
JSmith
5 years ago

Tracking down LDAP Bindings

As a continuation to @Kerry DeVilbiss's datasource to track DC's that are getting unsigned LDAP bindings, we have been thinking about making a datasource that will track the incoming connections. Our thought was to take a page from this article and query our event log every X minutes and output the response of found events to the datasource. My question is a two-parter: 

1) Does anyone have experience using a datasource to output large amounts of data to the wildvalue? If so, is there a character limit? We were thinking once we found the event we could narrow down the relevant data inside of a scripted method, but are worried about performance on the collector. 

2) Aside from a some performance improvements on the collector, is there a benefit for adding this as a datasource rather than an eventsource? We often find the event module clunky and cumbersome. 

 

Thanks! 

  • Anonymous's avatar
    Anonymous
    5 years ago

    Datasources can only store numbers, not strings or log entries. So, while you technically could output the string as part of the datasource script, LM would choke on it giving you a "NaN" (not a number) response. Technically, it would be possible to treat each instance of the offending log entry as a resource instance, making the name of the instance be the first x characters of the log entry, but that would get very cumbersome, very quickly and you'd be using active discovery to do your monitoring, which wouldn't give you very real time statistics, nor graphability.

    Event source is the way to go. Is there perhaps some light we can shed on the event module to make it less clunky and cumbersome for you?