Setting up a centralised log server using Graylog on Ubuntu 16.04 LTS – Part Three

Now that we have installed Graylog and secured access using SSL/TLS, it is time to connect it to an external Authentication system, in this case it will be an existing Active Directory infrastructure.

The first step is to create a User Account in AD that Graylog will use to connect and perform authentication queries.

For this example I have created an account called svc.GraylogLDAP.

Next we need to create a pair of Global Security Groups, Graylog Admins and Graylog Readers and add the relevant AD users as members.

These will be mapped to Admin and Read Only roles within Graylog.

 

With the AD configuration now complete, log into the Graylog web interface and go to System – Authentication.

Select LDAP/Active Directory from the left hand menu.

 

Tick the box to Enable LDAP and then fill out the following:

ServerĀ  Type: Choose Active Directory

Server Address: enter the FQDN or IP of one of your Domain Controllers and change the port to 636

Tick the SSL box

System Username: Enter the userPrincipalName of the service account that we created earlier (e.g. svc.GraylogLDAP@MyLab.com )

System Password: Enter the password for our service account

Click the Test Server Connection button to confirm that everything is working so far.

 

In the User mapping section we will be defining some search options and attributes. This will vary depending on how you have structured your AD environment.

In my lab environment I have created an OU called Accounts that houses my user accounts so this is the Search Base DN I will enter.

ou=Accounts,dc=com,dc=MyLab

My User Search Pattern is

(&(objectClass=user)(sAMAccountName={0}))

and the Display Name attribute is

displayName

 

The Group Mapping section will again depend on your AD structure. I have an OU called Groups that contains all of my groups so my Group Search Base DN is

ou=Groups,dc=com,dc=MyLab

As both of the Groups I am targeting begin with the word Graylog, my Group Search Pattern is

(&(objectClass=group)(cn=Graylog*))

My Group Name Attribute is

cn

and I have set the Default User Role to

Reader – basic access

 

To test that everything is working as expected, enter a username and password combination in the Login test section and click Test login.

Assuming everything is looking good, click the Save LDAP settings button and then scroll back up to the top of the page.

In the top right corner, hit the LDAP Group Mapping button

Here you will see any AD Groups that satisfy the Group Search Pattern criteria from the previous page and you will be able to map them to the Admin or Reader roles.

Click Save when finished.

 

You should now be able to log out of Graylog and then log back in using your AD credentials.

This completes the base configuration of Graylog, the next post will cover setting up some basic inputs to start collecting data.

Leave a Reply

Your email address will not be published. Required fields are marked *