Whether you are a new BindPlane user, or have been using it for a while now, you may have seen or heard of our logs feature. This feature helps integrate your various data sources into Stackdriver Logging, which will let you gain important insights into your data that you may not have had before. Currently, the logs feature only supports sending data to Google Stackdriver, but new source bundles are being added every week. If you are a Stackdriver user, you must be excited to get started on collecting and monitoring your data with logs, but you may be a little unsure where to start. We talk about how easy it is to get all set up, but don’t worry, now we’re going to show you just how easy it really is! This blog will take you through BindPlane Logs first Time Setup for Google Stackdriver. For instructions on how to set up BindPlane Metrics, click here.
If it’s the first time you’re setting up BindPlane Logs, the first step is to create your Destination. The Destination is where you want to send your logs. To create your destination, you will navigate to the “Destination tab” and select “Add Destination Configuration”.
Currently, the only Destination that can support BindPlane Logs is Google Stackdriver, so you will need to choose Stackdriver. After selecting the destination, you will need to configure it before moving on.
Here you will link your GCP project and Stackdriver account to BindPlane. A Google IAM service account is required, and certain API activations. All you will need to do is enter the name of your destination and fill in the credentials box. Once you have everything filled out, hit test connection and wait to see if it was successful, if it returns a failure, then you may have entered your credentials wrong. For more information on configuring your destination for the first time visit our destination documentation page.
Now that you have your destination configured, it is time to create your source. The source is where you will be collecting your logs from, and in this example the source will be Active Directory. To set up AD as your new source, the first thing you will do in BindPlane Logs is select, “Deploy source” and choose ‘Add Source Configuration’. Once that is done, you will then choose the source you would like to monitor with logs.
After you have selected AD, fill in the required fields and click “Create”. For more information about the fields, you can mouse over the tool tip to learn more
Now Destination and source are configured, you will need to install your agent. This is the most important part when it comes to collecting your logs. However, creating an Agent is pretty easy, you will find the agent page in the logs tab on BindPlane, there you will select the “add agent” button.
Once you follow the prompts to configure and install the agent, you will then need to select the deployment destination you would like to send logs to (Stackdriver), the source that you want to collect logs from (AD) and the platform (Windows, Linux or Kubernetes) to install the agent on.
Next, after selecting the platform you would like to deploy your agent on, you will be presented with a “key” to enter and run in your command terminal.
For a more in-depth explanation on configuring your new agent visit our Agent documents page. Once the Agent is deployed, you will be able to view the Agent status as shown below
Now that you have configured all of the steps, you can return to the agent screen and see your agent status, destination configuration, and source configuration
BindPlane logs also gives you the ability to create templates for your configurations. Using these templates will save you a lot of time when you have multiple deployments with only a couple differences. For example, you may have multiple sources you want to monitor, but they all run on the same agent and deploy to the same destination. Using these templates will allow you to have those agents and destinations pre-configured, which just leaves you with configuring the different sources.
When monitoring your Active Directory, the number of logs being output from your system will be overwhelming to comb through to find anything of importance. To help with this, Stackdriver Logging comes with the capability to create alerts that notify you when a certain event is triggered. For example, alerts can be set up for Active Directory to notify you if any of the constraints or limits you created for your objects in your schema has been violated. The log data streamed by BindPlane include a JSON payload that gives you a more contextual look on what is included within each log entry such as the container ID, the severity level, and other insights depending on the event.
Stackdriver Logging also comes with the ability to create log-based metrics which can be very beneficial since it can be mind-numbing to sift through hundreds of logs to find any type of trend in the information. With log-based metrics, you can create metric charts which can give you more of a visual representation of your logs. These charts can be compared to each other giving you better insights into your network and systems, potentially letting you learn of any correlations or causations between different log events.
For example, you can track all of the log-on attempts that occur on your active directory. These graphs also allow you to filter by time, helping you dive deeper into the data, hopefully allowing you to gain a better insight on any issues you may be having.
Now that we have gone through how to set up Active Directory log monitoring on Stackdriver, you can now extend what you have learned to any other sources you would like to monitor. BindPlane logs supports a range of other sources, with more on their way!