Kiwi Syslog Server是一款應用於Windows系統的系統日誌守護進程,可以接收並記錄系統日誌,各類設備的SYSLOG消息,內置豐富的日誌記錄選項,能詳細記錄各類防火牆日誌,並進行篩選分析。
本文主要介紹Kiwi Syslog Server配置Active Directory集成身份認證。
html
安裝教程:
【逗老師帶你學IT】Kiwi Syslog Server安裝教程
https://blog.csdn.net/ytlzq0228/article/details/104827014
web
在多用戶環境中使用Kiwi Syslog時,使用Active Directory集成認證有助於用戶帳號受權的管理。這樣,您能夠控制誰能夠經過AD認證訪問Kiwi Syslog Web Access界面,避免管理很是多個本地賬戶帶來的麻煩。瀏覽器
設置很是簡單。
@[TOC]
安全
1、Kiwi Syslog Web Active Directory集成的前提條件:
一、Kiwi中的AD集成使用TCP端口389上的LDAP鏈接到域控制器,提早確認Kiwi Sylog Server跟域控之間的TCP 389端口正常通訊。
二、Kiwi Syslog的服務器必須加入用於認證的AD域。
服務器
2、Active Directory準備工做
一、在Active Directory中建立一個用戶組或安全組,以用於控制對Kiwi Syslog的身份驗證,或者選擇已有的用戶組或安全組,例如IT部門羣組。
二、將受權訪問Kiwi的用戶賬戶添加到上面建立的安全組中,您但願它們可以登陸到Kiwi Syslog Web Client。
微信
3、Kiwi Syslog Web Access中設置Active Director的步驟
一、登陸Kiwi Syslog Web Access
使用管理員賬戶登陸Kiwi Syslog Web Access
網絡
二、Active Directory集成配置
打開「 Admin」->「 Active Directory Setting」
app
三、Active Directory認證配置參數
3.一、輸入您的Active Directory環境的域URL
若是是AD域控制器,輸入AD域控服務器DNS域名
如:csdn.com
若是是其餘LDAP服務器,須要輸入完整的LDAP URL
如ldap:// DomainController1:389 / ou = Groups,dc = npgdom,dc = com
3.二、將身份驗證類型留爲空白,默認爲Secure。若是對LDAP使用其餘身份驗證類型,請進行更改。若是不知道這項什麼意思,請將其留空。
3.三、在「用戶組」字段中輸入您在AD中建立的用戶組的名稱。能夠使用多個用戶組並用分號分隔。
3.四、點擊保存設置。
查看AD域控制器的Windows防火牆,和沿途全部防火牆,確認運行Kiwi Syslog Server能夠訪問AD域控的TCP 389端口。
less
4、測試使用域賬戶登陸Kiwi Syslog Web訪問
一、註銷登陸當前管理員帳號,或新開一個瀏覽器小號窗口。
二、使用Domain\username的格式進行登陸,好比CSDN\doulaoshi。注意若是使用域帳號登陸,必須添加域名前綴
三、新用戶第一次登陸會出現一條提示,不要慌,這不是報錯!
第一次登陸系統須要在Kiwi Syslog中建立一個同名的本地賬戶,再次登陸便可以正常登陸
管理員能夠看到用戶管理中,新添加了一個域帳戶。
dom
5、域賬戶登陸Kiwi Syslog Web權限
域帳戶登陸以後的權限是標準用戶權限,能夠查詢全部的日誌,編輯過濾器,可是無權限訪問Admin選項卡
6、參考資料
參考資料
1.如何集成Kiwi與活動目錄:Network Pro Guide | How to Integrate Kiwi Syslog Web Access with Active Directory
官方手冊
2.Kiwi web server AD認證設置:Solarwinds | Active Directory Authentication setting for Kiwi Syslog Server Web Access
3.Kiwi web Access AD認證:Solarwinds | Kiwi SyslogTM Web Access - AD Authentication
| 全部支持的LDAP認證類型: Auth types |
description |
|---|---|
| Anonymous | No authentication is performed. |
| Delegation | Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains. |
| Encryption | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. |
| FastBind | Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. |
| None | Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider. |
| ReadonlyServer | For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding. |
| Sealing | Encrypts data using Kerberos. The Secure flag must also be set to use sealing. |
| Secure | Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. |
| SecureSocketsLayer | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption. |
| ServerBind | If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for server less paths. Specifying a server name without also specifying this flag results in unnecessary network traffic. |
| Signing | Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing. |
往期回顧:
【逗老師帶你學IT】Kiwi Syslog Server安裝和配置教程
【逗老師帶你學IT】Kiwi Syslog Web Access與Active Directory集成認證
【逗老師帶你學IT】vMware ESXi 6.7合併第三方硬件驅動
【逗老師帶你學IT】Windows Server Network Policy Service(NPS)記帳與審計
【逗老師帶你學IT】Windows Server NPS服務構建基於AD域控的radius認證
【逗老師帶你學IT】AD域控和freeradius集成認證環境,PAP,MSCHAPV2
【逗老師帶你學IT】PRTG監控系統配合樹莓派採集企業內部無線網絡質量
【逗老師帶你學IT】深信服SSL遠程接入與深信服行爲審計同步登錄用戶信息
【逗老師帶你學IT】PRTG監控系統合併多個傳感器通道數據
【逗老師帶你學IT】PRTG監控系統經過企業微信推送告警消息