Welcome to the three-part series, “Go From Reactive to Fully Proactive with Graylog.” We designed this series because log data is expanding in both volume and complexity, and many of us are stretched thin trying to keep up. Most people are stuck working reactively, but we’ll show you how to become fully proactive and reclaim some time in your day.
Hello, I’m Jeff Darrington, Senior Technical and Marketing Manager at Graylog. Welcome to Session 3. In Sessions 1 and 2, we covered search to notifications and then parameterized search and dashboards. Today, in Session 3, we’ll focus on teams and permissions, data enrichment, and reports. We’ll tie together alerts, notifications, and parameterized dashboards to take your log management to the next level. We’ll also cover how to use teams and permissions to work faster and more efficiently, the value of data enrichment, and a brief overview of reports for delivering information across multiple teams and departments.
Let’s dive into users, teams, and permissions. I’m going to switch over to my screen, where you’ll see the system authentication menu. This system is configured for LDAP, synchronizing users through groups. At the bottom right, you’ll see the synchronized teams that are built in Graylog and tied to LDAP users, as well as the individual users that have come across.
To start, you need an authentication service like LDAP or Okta. Once set up, you’ll configure your LDAP server, choose TLS options, and set your search base DN. For this demo, I’ve used the OU “people” from my PHP app server. My groups are “security admins” and “security managers,” and I’m synchronizing with UUID and the default rules.
Next, we’ll look at how to build teams in Graylog. I’ve created teams that match the security groups in my LDAP server for seamless synchronization. After building your teams, go to Authentication > Users and Teams, where you’ll see the teams listed. For example, we’ll edit the “security admins” team. It’s already synchronized, so we can’t edit it, but you can add new teams or assign roles to teams, like reader, report manager, or admin. Once teams are saved, the synchronization will automatically pull users over from LDAP.
Permissions are managed similarly. After setting up your server and group synchronization, you can assign roles and manage user permissions. For instance, synchronized users will inherit default permissions from their LDAP group, but you can manually promote users to higher roles within Graylog, like admin. This allows flexibility in permissions management while keeping your user management centralized with your LDAP or Active Directory.
Now, let’s move on to data enrichment. Data enrichment can take many forms. One common example is GeoIP. You can look up the geographic locations of IP addresses and apply this data to a map within Graylog. I’ve configured MaxMind’s GeoLite database for this demo, and we’ll look at how to use this data in Graylog to analyze where your traffic is going.
I’ll show you how to set up GeoIP data adapters under System > Lookup Tables > Data Adapters. You’ll choose between MaxMind’s ASN, City, or Country databases, or IPinfo’s location databases, and configure them accordingly. Once set up, you’ll be able to enrich your log data with geographic information and visualize it on maps or dashboards.
Finally, let’s talk about reports. I’ve created a GeoIP user activity report, which pulls in data from a parameterized dashboard. You can schedule reports to run daily, weekly, or monthly and send them to relevant users or departments, making it easier to share insights across teams.
This concludes Session 3 of our series, where we covered teams and permissions, data enrichment, and reports. We hope this series helps you move from a reactive to a proactive approach to log management. If you have any questions, now is the time for Q&A.