What is Active Directory?
You may be familiar with Microsoft Active Directory as it is a mainstay in many business’s IT operations and is crucial to the security and functionality of your network. Active Directory was developed by Microsoft for their Windows Domain networks and was released back in 2000 along with Windows 2000. Active Directory has become an umbrella that contains their “directory-based identity-related services” and offers a range of capabilities. At a high level, Active Directory stores information about objects handled on a network and makes it easy for admins and other users to access and utilize the data. When using the Active Directory Domain Service (AD DS) on a server, you get a domain controller. A domain controller automatically authenticates and authorizes all of the devices and users on the network, easily assigning and enforcing the security policies. Active Directory also includes the ability to create a schema, that allows you define classes and constraints for objects and attributes that are found in the directory. Another useful tool that can be found in AD is the replication service that distributes the directory data across the network.
If you’ve taken advantage of implementing Active Directory on Google Cloud Platform (GCP), you can unify your monitoring and analysis of Active Directory with the rest of your GCP resources and workloads using Stackdriver Logging and Blue Medora BindPlane. BindPlane streams logs and metrics from more than 150 non-GCP technologies into Stackdriver, at no additional cost to Google customers. Now we will take you through how to monitor Microsoft Active Directory with Stackdriver.
Stackdriver for Microsoft Active Directory
Before you start setting up Active Directory observability with Stackdriver, you may be wondering, “why would I want to monitor Active Directory when it does everything automatically?”. Well as you most likely know, cyber security and data integrity are extremely important when it comes to protecting your company’s assets. Implementing Google Stackdriver with BindPlane logs to monitor the data collected by AD DS and its other services will let you check all of the log-on attempts and authorizations that occur on your network. You can also use this data to understand if there are any un-authorized log-on or access attempts, and see how frequently they are occurring. Google Stackdriver will make this easy through the use of the logging feature, which allows you to create custom alerts and dashboards, giving you easy visibility into the security activity of your network. Along with security, you can use Stackdriver to monitor the integrity of your data that is stored throughout your network. You can also use alerts to be notified about any corruption or issues related to your data being replicated across domains and domain controllers or other similar problems that may occur.
Getting Started: Monitoring Active Directory via Logs (Alpha)
If you’re like most DevOps practitioners, you’ve probably increased your use of Log tools to monitor networks and infrastructure. Whether they are being used to monitor systems health or network security, log tools provide valuable insights that you would otherwise need to do some serious digging and synthesizing to find. Today, with the help of BindPlane, monitoring Active Directory with Stackdriver has gone from a complicated mess of command lines and code to a few easy steps. To get you started with using logs to help you monitor your Active Directory, we will take you through a quick overview of how to set up AD with BindPlane to seamlessly integrate the service into Stackdriver. For a more in-depth walk through visit our “Getting started” page, or visit our site to sign up for a trial. The three big parts that you need to focus on when setting up BindPlane are the source, destination and agent. In this case, the agent will be the BindPlane software that collects logs from your OS, the source will be Active Directory and the Destination will be Stackdriver.
First Time Setup: Installing an Agent
If it is your first time setting up BindPlane, then you will need to install your agent. The agent is the most important part when it comes to collecting your logs. Creating an Agent is pretty easy, you will find the agent page in the logs tab on BindPlane, there you will select the “add agent” button.
Once you follow the prompts to configure and install the
agent, you will then be prompted to select the deployment platform (Windows,
Linux or Kubernetes) to install the agent on and follow the on-screen
instructions. For a more in-depth explanation on configuring your new agent
visit our Agent
documents page. Once the Agent is deployed, you will be able to view the Agent
status as shown below
The next step in setting up your log monitoring, is to create your Destination. The Destination is where you want to send your logs. In this case, your destination will be Stackdriver. To create the destination, you will navigate to the agent and select “deploy Destination” and choose “add new”.
After selecting Google Stackdriver, you will need to configure your new destination. Here you will link your GCP project and Stackdriver account to BindPlane. A Google IAM service account is required, and certain API activations. For more information on configuring your destination for the first time visit our destination documentation page.
Create a Source
Now that you have your Agent set up and your destination configured, it is time to create your source. The source is where you will be collecting your logs from, and in this case the source will be Active Directory. To set up AD as your new source, the first thing you will do in BindPlane Logs is select, “Deploy source” and choose ‘Add Source Configuration’. Once that is done, you will then choose Active Directory to set up logs monitoring.
Once you have selected AD, fill in the required fields and click “Create”. For more information about the fields, you can mouse over the tool tip to learn more
Now that you have configured all of the steps, you can return to the agent screen and see your Agent status, Destination configuration, and source configuration
Creating and using Templates
BindPlane logs also gives you the ability to create templates for your configurations. Using these templates will save you a lot of time when you have multiple deployments with only a couple differences. For example, you may have multiple sources you want to monitor, but they all run on the same agent and deploy to the same destination. Using these templates will allow you to have those agents and destinations pre-configured, which just leaves you with configuring the different sources.
Benefits of using Logs
When monitoring your Active Directory, the number of logs being output from your system will be overwhelming to comb through to find anything of importance. To help with this, Stackdriver Logging comes with the capability to create alerts that notify you when a certain event is triggered. For example, alerts can be set up for Active Directory to notify you if any of the constraints or limits you created for your objects in your schema has been violated. The log data streamed by BindPlane include a JSON payload that gives you a more contextual look on what is included within each log entry such as the container ID, the severity level, and other insights depending on the event.
Stackdriver Logging also comes with the ability to create log-based metrics which can be very beneficial since it can be mind-numbing to sift through hundreds of logs to find any type of trend in the information. With log-based metrics, you can create metric charts which can give you more of a visual representation of your logs. These charts can be compared to each other giving you better insights into your network and systems, potentially letting you learn of any correlations or causations between different log events.
For example, you can track all of the log-on attempts that occur on your active directory. These graphs also allow you to filter by time, helping you dive deeper into the data, hopefully allowing you to gain a better insight on any issues you may be having.
Extending your Knowledge
Now that we have gone through how to set up Active Directory log monitoring on Stackdriver, you can now extend what you have learned to any other sources you would like to monitor. BindPlane logs supports a range of other sources, with more on their way!