Active Directory Domain Manager
Active Directory Synchronization
LogRhythm provides a regularly scheduled synchronization process to retrieve data from Active Directory and store it in the LogRhythm EMDB. After synchronization, you can access and filter the data using the following tools: Investigations, Tails, Reports, Personal Dashboard, Alarm Rule Criteria, SecondLook restore criteria, and Log Distribution Service (LDS) Policy criteria. You can also view the data from the Active Directory Browsers accessible via the Client Console.
LogRhythm administrators are able to manage LogRhythm users in the same manner as Active Directory users. This allows the administrators to put Active Directory users into the LogRhythm system based on their active directory.
Active Directory Group Based Authorization requires the Platform Manager to be a Domain member to function correctly.
Synchronization of Active Directory objects follows these rules:
- After a Group or User has been created in the local database, it is never deleted.
- All Users must be synced or synchronization fails. Each user is synced independently. If failure occurs, all users synced prior to failure will have been updated in the database.
- User Login Values: three login values are stored for each user and represent possible AD login strings:
- [Username] (i.e., pete). Saved in IDMUser.Login1.
- [Username]@[FQDN] (i.e., test@abcd.something.com). Saved in IDMUser.Login2.
- [NetBIOS Name]\[Username] (i.e., something\john). Saved in IDMUser.Login3.
- This format is only saved for root level domains. It is not saved for sub-domains because sub-domains may have the same NetBIOS name as the parent domain.
- Only login 1-3 fields are synchronized, login4 and login5 are not synced. Users can manually input values into these fields and they would be filtered on.
- All Groups must be synced or sync fails. Each group is synced independently. If failure occurs, all groups synced prior to failure will have been updated in the database.
- Group membership is synced to reflect membership at time of sync. All group members must be successfully updated or no changes are made for that group. Group membership is updated within a transaction. If any failure occurs when updating a single group, no changes for that group are updated in the database. However, groups having membership synced prior to failure will have been updated in the database.
Active Directory Permissions and Security
Active Directory Synchronization is required for the Windows Host Wizard to identify computers and for the Active Directory Group Authorization in the User Profile to identify users. The following permissions are required for Active Directory Synchronization.
- Ports must be enabled for the LDAP environment. To determine the ports required for your specific LDAP environment, see Active Directory and Active Directory Domain Services Port Requirements. Most deployments will require TCP and UDP 389.
- LDAP and Secure LDAP requires a trust relationship with remote domains to validate and synchronize. While Trust over LDAPS (LDAP with SSL) can be established with certs without having to set up an actual trust relationship, this configuration is currently not supported.
- The service account must have read permissions for the Job Manager.
- The service the Job Manager runs under must have the permissions required to query Active Directory to avoid permission-related errors.
Active Directory Domain Manager
The Active Directory Domain Manager window contains a grid to list the domains and subdomains that have been previously added for synchronization. The following table describes the columns in the grid.
| Column Name | Description |
|---|---|
| Action | The check box used in conjunction with the Actions context menu |
| Domain Name | The name of the domain. |
| Include In Sync | The indicator to include in the synchronization |
| Include in Group Based Authorization | Include the domain in the group-based authorization. |
| User Name | The user name provided to scan the domain. |
| Organizational Unit | The organizational unit for the domain. Used for Windows Host Wizard scanning. The Organizational Unit should be entered in the following format: ABCCompany/computers/servers/OUName |
| Description | The brief description given to the domain via the properties. |
| Status | The status of the domain, either Active or Retired. |
| Domain ID | The unique identifier for the domain record. |
There are two menu items available: New and Properties. The OK, Cancel, and Apply buttons appear at the bottom of the window.
The actions in the following table can be accessed by right-clicking the grid area.
| Context Menu | Description |
|---|---|
| New | Create a new domain and open the New Domain Properties Window. |
| Add Subdomains | Query Active Directory for sub-domains of the active domain configuration and add rows to the grid for each. If the grid already contains active rows for the sub-domains, their details are updated. The Add Subdomains context menu is disabled if the active domain configuration is retired. |
| Actions > Activate | Active domains. |
| Actions > Retire | Retire domains. |
| View > Retired Domains | Display retired domains. |
| Properties | Open the domain properties window. |
Synchronization of Domains
The domains are synchronized hourly. Domains must exist in the list and at least one must have Include in Sync or Include in Group Based Authorization checked in the appropriate column.
Synchronizing updates the LogRhythm deployment with the current users, groups, and group members in Active Directory. All domains where Include In Sync or Include in Group Based Authorization are checked will be synchronized.
The synchronization process does not delete users or groups because they might be referred to by log, event, and alarm records.
Scheduled Synchronization
The Job Manager service performs scheduled Active Directory Synchronization with these conditions:
- Synchronization starts five minutes after the Job Manager service starts.
- Synchronization occurs every hour as long as the Job Manager service is running.
- The Job Manager attempts to synchronize three times after experiencing an error before waiting for the next scheduled synchronization.
- The service the Job Manager runs under must have the permissions required to query AD to avoid permission related errors.
- Only domains that have Include In Sync selected are synchronized.
Active Directory Browsers
There are two Active Directory browsers, both accessible under Knowledge on the Tools menu. The browsers provide a means to access the existing Active Directory information that has been synchronized and stored in the LogRhythm EMDB. However, users who are limited to Restricted Admin or Restricted Analyst roles do not have access to view Active Directory group or user membership information in these browsers.
Active Directory User Browser
The Active Directory User Browser has two grids. The top grid contains all users who have been synchronized as part of the AD Synchronization process that stores the AD information in the LogRhythm EMDB. The lower grid lists the groups to which the user belongs.
Active Directory Group Browser
The Active Directory Group Browser has three grids. The top grid contains all groups that have been synchronized as part of the AD Synchronization process that stores the AD information in the LogRhythm EMDB. The lower-left grid lists the members of the group. The lower-right grid contains the user information for members of the group.