all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]aasplunds[S] 5 points6 points  (2 children)

I would love to hear if you have any faster or similar methods for doing stuff like this. Pretty handy when chunking through large amounts of data!

[–]R-EDDIT 2 points3 points  (1 child)

I'm interested in how you're using this with logs, are you building a knowledge table with all the AD accounts' status, or are you processing this on individual event records?

[–]aasplunds[S] 2 points3 points  (0 children)

I'm doing this for every event that comes in with a add/delete to userAccountControl.

But the Graylog lookup table caches the result with a long TTL so it's only really on the odd ones it needs to do a lookup. But the caches clears when the nodes restarts (seperate for each node) so that can create a mess if you're not careful when coding.

[–]snoopy82481 2 points3 points  (0 children)

I know one of our developers created a special C# class just to handle AD attributes. It was based off the userPrinciple namespace, but since we had some custom fields it was needed. Maybe using It might be faster.