Managing Active Directory users with Log Insight

Active Directory (AD) integration into Log Insight (LI) allows you to provide Role based access control to the management, administration, and operations of your log platform. The user that binds LI to AD will be used to verify AD users and groups. Subsequent AD users that are added (users or groups) must either belong to the Domain of the binding user, or to a domain that trusts the domain or the binding user. You know – remember Domains, Forests and Trees!

This example will have two AD groups named loginsight-users and loginsight-dash. The goal of the blog will be to enable members of the AD to inherit permissions of LI roles.

Log Insight roles

There are four roles in Log Insight.

  • User – Users can access the full functionality of Log Insight to view log events, run queries to search and filter logs, import content packs into their own user space, add alert queries, and manage their own user accounts to change their password or email address. Users do not have access to the administration options, cannot share content with other users, cannot modify the accounts of other users, and cannot install a content pack as a content pack.
  • Dashboard User – Dashboard users can only use the dashboards page of Log Insight.
  • View Only Admin – View Admin can view Admin information, have full User access and they can edit Shared content.
  • Super Admin – God mode. Full functionality of Log Insight, can administrate Log Insight, and can manager all other user accounts and roles. Treat this account the same way you do Domain Administrator.

The loginsight-users AD group will be added to the User LI role. The loginsight-dash AD group will be added to the Dashboard User LI role.

Adding groups to roles

This is a very simple process for extensive Role Based Access Control (RBAC).

  1. From the drop down menu select Administration.
  2. Under Management there is Access Control.
  3. Select the Users and Groups.
  4. There is Active Director Groups. Click New Group.

You will see a list of groups that the binding user can see associated to the bound domain.

  1. Select the group you want to add.
  2. On the right there is the Roles list. Select the appropriate one.
  3. Click save.

Voila! Done. Repeat the process for users or dash AD groups.

Even more granularity

Log Insights can take RBAC a step further and actually control which Data Sets are available to users and groups.

A data set is a set of command(s) that can be used to search logs and provide users access to specific content.

  1. Under Access Control select Data Sets
  2. New Data Set
  3. Add Filter

From here select a drop down and you will see fields defined within LI. These fields can be exposed to a user or group. A secondary field appears which will allow you to specify operators like the ones discussed here.

You can manually define the value you want to use. Multiple values are separated by OR – | – remember?

Add more filters if you desire or save.

RBAC can get sticky

Remember when you get granular you can get lost in the weeds. Start broadly. Define roles and add members to the right groups. The large partitions at first will help define user roles. From there break down the user roles into what commands they can execute if you desire. If required, you can create a custom group but that depends on your use case. The important part is allow the right people access to the right information as fast as possible. Don’t let RBAC slow down your MTR or stop you identifying faults but you want to be able to have it accessed by the right people.

1 thought on “Managing Active Directory users with Log Insight”

Leave a Reply

Your email address will not be published. Required fields are marked *