[Freeipa-users] dirsrv access logs flooded from single connection id
Andrew E. Bruno
aebruno2 at buffalo.edu
Mon Jun 29 17:02:09 UTC 2015
On Mon, Jun 29, 2015 at 12:34:25PM -0400, Andrew E. Bruno wrote:
> On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote:
> > On 06/29/2015 10:13 AM, Andrew E. Bruno wrote:
> > >Our dirsrv access logs on our freeipa master server are getting flooded
> > >with this:
> > >
> > >[29/Jun/2015:12:02:09 -0400] conn=215758 op=1355326784 SRCH
> > >base="cn=u2,cn=groups,cn=accounts,dc=ccr,dc=buffalo,dc=edu" scope=0
> > >filter="(objectClass=*)" attrs="objectClass posixgroup cn userPassword
> > >gidNumber member ipaNTSecurityIdentifier modifyTimestamp entryusn uid"
> > >
> > >[29/Jun/2015:12:08:08 -0400] conn=215758 op=1356545457 RESULT err=0
> > >tag=101 nentries=0 etime=0 notes=P
> > >
> > >All from the same conn=215758. Logs get rotated every minute.
> > >
> > >logconv.pl is showing
> > >
> > >Searches: 265803 (3322.54/sec) (199352.25/min)
> > >
> > >
> > >How can I figure out which ip address this query is coming from? Is
> > >there a way to fetch the ip using the connection id? conn=215758?
> >
> > grep "conn=215758 fd=" /var/log/dirsrv/slapd-INST/access*
> >
> > Unfortunately, if it has been rotated away, you won't be able to get the
> > information from the access log.
> >
>
> No luck .. looks like it has been rotated away. Any other thoughts?
>
> Is it correct to assume this is all coming from a single host? My
> thinking is that if I can kill the query coming from the host that it
> would solve the problem.
Found the host using tcpdump.
Thanks again for the help,
--Andrew
More information about the Freeipa-users
mailing list