Now that we have installed Graylog and secured access using SSL/TLS, it is time to connect it to an external Authentication system, in this case it will be an existing Active Directory infrastructure.
The first step is to create a User Account in AD that Graylog will use to connect and perform authentication queries.
For this example I have created an account called svc.GraylogLDAP.
Next we need to create a pair of Global Security Groups, Graylog Admins and Graylog Readers and add the relevant AD users as members.
These will be mapped to Admin and Read Only roles within Graylog.
With the AD configuration now complete, log into the Graylog web interface and go to System – Authentication.
Select LDAP/Active Directory from the left hand menu.
Tick the box to Enable LDAP and then fill out the following:
Server Type: Choose Active Directory
Server Address: enter the FQDN or IP of one of your Domain Controllers and change the port to 636
Tick the SSL box
System Username: Enter the userPrincipalName of the service account that we created earlier (e.g. svc.GraylogLDAP@MyLab.com )
System Password: Enter the password for our service account
Click the Test Server Connection button to confirm that everything is working so far.
In the User mapping section we will be defining some search options and attributes. This will vary depending on how you have structured your AD environment.
In my lab environment I have created an OU called Accounts that houses my user accounts so this is the Search Base DN I will enter.
ou=Accounts,dc=com,dc=MyLab
My User Search Pattern is
(&(objectClass=user)(sAMAccountName={0}))
and the Display Name attribute is
displayName
The Group Mapping section will again depend on your AD structure. I have an OU called Groups that contains all of my groups so my Group Search Base DN is
ou=Groups,dc=com,dc=MyLab
As both of the Groups I am targeting begin with the word Graylog, my Group Search Pattern is
(&(objectClass=group)(cn=Graylog*))
My Group Name Attribute is
cn
and I have set the Default User Role to
Reader – basic access
To test that everything is working as expected, enter a username and password combination in the Login test section and click Test login.
Assuming everything is looking good, click the Save LDAP settings button and then scroll back up to the top of the page.
In the top right corner, hit the LDAP Group Mapping button
Here you will see any AD Groups that satisfy the Group Search Pattern criteria from the previous page and you will be able to map them to the Admin or Reader roles.
Click Save when finished.
You should now be able to log out of Graylog and then log back in using your AD credentials.
This completes the base configuration of Graylog, the next post will cover setting up some basic inputs to start collecting data.
Nice work! waiting for the next topics! 😀 congrats
would be nice if u make a post about some tunning configurations. tks