Kiwi Syslog Server是一款应用于Windows系统的系统日志守护进程,可以接收并记录系统日志,各类设备的SYSLOG消息,内置丰富的日志记录选项,能详细记录各类防火墙日志,并进行筛选分析。
本文主要介绍Kiwi Syslog Server配置Active Directory集成身份认证。
html
安装教程:
【逗老师带你学IT】Kiwi Syslog Server安装教程
https://blog.csdn.net/ytlzq0228/article/details/104827014
web
在多用户环境中使用Kiwi Syslog时,使用Active Directory集成认证有助于用户帐号受权的管理。这样,您能够控制谁能够经过AD认证访问Kiwi Syslog Web Access界面,避免管理很是多个本地账户带来的麻烦。浏览器
设置很是简单。
@[TOC]
安全
1、Kiwi Syslog Web Active Directory集成的前提条件:
一、Kiwi中的AD集成使用TCP端口389上的LDAP链接到域控制器,提早确认Kiwi Sylog Server跟域控之间的TCP 389端口正常通讯。
二、Kiwi Syslog的服务器必须加入用于认证的AD域。
服务器
2、Active Directory准备工做
一、在Active Directory中建立一个用户组或安全组,以用于控制对Kiwi Syslog的身份验证,或者选择已有的用户组或安全组,例如IT部门群组。
二、将受权访问Kiwi的用户账户添加到上面建立的安全组中,您但愿它们可以登陆到Kiwi Syslog Web Client。
微信
3、Kiwi Syslog Web Access中设置Active Director的步骤
一、登陆Kiwi Syslog Web Access
使用管理员账户登陆Kiwi Syslog Web Access
网络
二、Active Directory集成配置
打开“ Admin”->“ Active Directory Setting”
app
三、Active Directory认证配置参数
3.一、输入您的Active Directory环境的域URL
若是是AD域控制器,输入AD域控服务器DNS域名
如:csdn.com
若是是其余LDAP服务器,须要输入完整的LDAP URL
如ldap:// DomainController1:389 / ou = Groups,dc = npgdom,dc = com
3.二、将身份验证类型留为空白,默认为Secure。若是对LDAP使用其余身份验证类型,请进行更改。若是不知道这项什么意思,请将其留空。
3.三、在“用户组”字段中输入您在AD中建立的用户组的名称。能够使用多个用户组并用分号分隔。
3.四、点击保存设置。
查看AD域控制器的Windows防火墙,和沿途全部防火墙,确认运行Kiwi Syslog Server能够访问AD域控的TCP 389端口。
less
4、测试使用域账户登陆Kiwi Syslog Web访问
一、注销登陆当前管理员帐号,或新开一个浏览器小号窗口。
二、使用Domain\username的格式进行登陆,好比CSDN\doulaoshi。注意若是使用域帐号登陆,必须添加域名前缀
三、新用户第一次登陆会出现一条提示,不要慌,这不是报错!
第一次登陆系统须要在Kiwi Syslog中建立一个同名的本地账户,再次登陆便可以正常登陆
管理员能够看到用户管理中,新添加了一个域帐户。
dom
5、域账户登陆Kiwi Syslog Web权限
域帐户登陆以后的权限是标准用户权限,能够查询全部的日志,编辑过滤器,可是无权限访问Admin选项卡
6、参考资料
参考资料
1.如何集成Kiwi与活动目录:Network Pro Guide | How to Integrate Kiwi Syslog Web Access with Active Directory
官方手册
2.Kiwi web server AD认证设置:Solarwinds | Active Directory Authentication setting for Kiwi Syslog Server Web Access
3.Kiwi web Access AD认证:Solarwinds | Kiwi SyslogTM Web Access - AD Authentication
| 全部支持的LDAP认证类型: Auth types |
description |
|---|---|
| Anonymous | No authentication is performed. |
| Delegation | Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains. |
| Encryption | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. |
| FastBind | Specifies that ADSI will not attempt to query the Active Directory Domain Services objectClass property. Therefore, only the base interfaces that are supported by all ADSI objects will be exposed. Other interfaces that the object supports will not be available. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. |
| None | Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider. |
| ReadonlyServer | For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding. |
| Sealing | Encrypts data using Kerberos. The Secure flag must also be set to use sealing. |
| Secure | Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. |
| SecureSocketsLayer | Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption. |
| ServerBind | If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for server less paths. Specifying a server name without also specifying this flag results in unnecessary network traffic. |
| Signing | Verifies data integrity to ensure that the data received is the same as the data sent. The Secure flag must also be set to use signing. |
往期回顾:
【逗老师带你学IT】Kiwi Syslog Server安装和配置教程
【逗老师带你学IT】Kiwi Syslog Web Access与Active Directory集成认证
【逗老师带你学IT】vMware ESXi 6.7合并第三方硬件驱动
【逗老师带你学IT】Windows Server Network Policy Service(NPS)记帐与审计
【逗老师带你学IT】Windows Server NPS服务构建基于AD域控的radius认证
【逗老师带你学IT】AD域控和freeradius集成认证环境,PAP,MSCHAPV2
【逗老师带你学IT】PRTG监控系统配合树莓派采集企业内部无线网络质量
【逗老师带你学IT】深信服SSL远程接入与深信服行为审计同步登录用户信息
【逗老师带你学IT】PRTG监控系统合并多个传感器通道数据
【逗老师带你学IT】PRTG监控系统经过企业微信推送告警消息