How to Monitor Active Directory With Google Stackdriver

Confirgure Google Stackdriver and Bindplane to monitor your Active Directory

What is Active Directory?

Active Directory stores information about objects handled on a network and makes it easy for admins and other users to access and utilize the data. When using the Active Directory Domain Service (AD DS) on a server, you get a domain controller. A domain controller automatically authenticates and authorizes all of the devices and users on the network, easily assigning and enforcing the security policies. Active Directory also includes the ability to create a schema that allows you to define classes and constraints for objects and attributes that are found in the directory. Another useful tool that can be found in AD is the replication service that distributes the directory data across the network.

Stackdriver for Microsoft Active Directory

Before you start setting up Active Directory observability with Stackdriver, you may be wondering, “Why would I want to monitor Active Directory when it does everything automatically?” As you most likely know, cybersecurity and data integrity are extremely important when it comes to protecting your organization’s assets. Implementing Google Stackdriver with BindPlane logs to monitor the data collected by AD DS and its other services will let you check all of the log-on attempts and authorizations that occur on your network. You can also use this data to understand if there are any unauthorized log-ons or access attempts, and see how frequently they are occurring. Google Stackdriver will make this easy through the use of the logging feature, which allows you to create custom alerts and dashboards, giving you easy visibility into the security activity of your network. Along with security, you can use Stackdriver to monitor the integrity of your data that is stored throughout your network.

Getting Started: Monitoring Active Directory via Logs

If you’re like most DevOps practitioners, you’ve probably increased your use of log tools to monitor networks and infrastructure. Whether they are being used to monitor systems health or network security, log tools provide valuable insights that you would otherwise need to do some serious digging and synthesizing to find. This can turn into a very expensive environment to deal with with the help of SEIM tools. To get you started streaming logs to help you monitor your Active Directory, we will take you through a quick overview of how to set up AD with BindPlane, a free-to-use tool, to seamlessly integrate the service into Stackdriver.

First Time Setup: Installing an Agent

If it is your first time setting up BindPlane, then you will need to install your agent. You will find the agent page in the logs tab on BindPlane, there you will select the “add agent” button.

Once you follow the prompts to configure and install the agent, you will then be prompted to select the deployment platform (Windows, Linux or Kubernetes) to install the agent on and follow the on-screen instructions. For a more in-depth explanation on configuring your new agent visit BindPlane’s Agent documents page. Once the Agent is deployed, you will be able to view the Agent status as shown below:

Create Destination

The next step in setting up your log monitoring is to create your Destination. The Destination is where you want to send your logs. In this case, your destination will be Stackadriver. To create the destination, you will navigate to the agent and select “Deploy Destination” and choose “Add new.”

After selecting Google Stackdriver, you will need to configure your new destination. Here you will link your GCP project and Stackdriver account to BindPlane. A Google IAM service account is required, and certain API activations. For more information on configuring your destination for the first time visit our destination documentation page.

Create a Source

Now that you have your Agent set up and your destination configured, it is time to create your source. The source is where you will be collecting your logs from, and in this case the source will be Active Directory. To set up AD as your new source, the first thing you will do in BindPlane Logs is select, “Deploy source” and choose "Add Source Configuration." Once that is done, you will then choose Active Directory to set up logs monitoring.

Once you have selected AD, fill in the required fields and click “Create.” For more information about the fields, you can mouse over the tool tip to learn more

Now that you have configured all of the steps, you can return to the agent screen and see your Agent status, Destination configuration, and source configuration.

Creating and Using Templates

BindPlane logs also gives you the ability to create templates for your configurations. Using these templates will save you a lot of time when you have multiple deployments with only a couple of differences. For example, you may have multiple sources you want to monitor, but they all run on the same agent and deploy to the same destination. Using these templates will allow you to have those agents and destinations pre-configured, which just leaves you with configuring the different sources.

Benefits of Using Stackdriver Logging

When monitoring your Active Directory, the number of logs being output from your system will be overwhelming to comb through to find anything of importance. To help with this, Stackdriver Logging comes with the capability to create alerts that notify you when a certain event is triggered. For example, alerts can be set up for Active Directory to notify you if any of the constraints or limits you created for your objects in your schema has been violated. The log data streamed by BindPlane includes a JSON payload that gives you a more contextual look on what is included within each log entry such as the container ID, the severity level, and other insights depending on the event.

For example, you can track all of the log-on attempts that occur on your active directory. These graphs also allow you to filter by time, helping you dive deeper into the data, hopefully allowing you to gain a better insight on any issues you may be having.

Further Reading

Stackdriver Logging - Google Cloud Logging Service

Azure Active Directory Is Not Active Directory!