Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
Step 1: Install Grafana
Add the grafana GPG key to trusted repository
# curl -fsSL https://packages.grafana.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/grafana.key
Add the grafana package repository to the apt sources /etc/apt/sources.list.d/grafana.list
# echo "deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
Install the Grafana software pacakge
# apt install grafana
Start and enable grafana
# systemctl enable grafana
# systemctl start grafana
Step 2: Enable TLS/SSL
Generate host certificates for this specific service and place them in the system SSL repository with appropriate permissions:
# mkdir /etc/grafana/ssl
# cp <service-key> /etc/grafana/ssl/grafana.key
# cp <service-cert> /etc/grafana/ssl/grafana.pem
# chown root:grafana /etc/grafana/ssl/grafana.key
# chown root:grafana /etc/grafana/ssl/grafana.pem
# chmod 640 /etc/grafana/ssl/grafana.key
# chmod 644 /etc/grafana/ssl/grafana.pem
Edit the grafana configuration file /etc/grafana/grafana.ini
, enable SSL:
[server] # Protocol (http, https, h2, socket) protocol = https ... # enable gzip enable_gzip = false # https certs & key file cert_file = /etc/grafana/ssl/grafana.pem cert_key = /etc/grafana/ssl/grafana.key
Restart and enable grafana
# systemctl restart grafana
Step 3: LDAP
Grafana does support LDAP integration, in my case I used Active Directory as an authentication source. I defined three primary groups for grafana:
- Grafana Role Admin – grafana-admins
- Grafana Role Editor – grafana-editors
- Grafana Roles View – grafana-viewers
Configure ldap by editing /etc/grafana/ldap.toml
in my case AD is running SSL and I perform certificate validations, but change underneath to match your use case.
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini # [log] # filters = ldap:debug [[servers]] # Ldap server host (specify multiple hosts space separated) host = "192.168.100.23 192.168.100.24 192.168.100.25" # Default port is 389 or 636 if use_ssl = true port = 636 # Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS) use_ssl = true # If set to true, use LDAP with STARTTLS instead of LDAPS start_tls = false # set to true if you want to skip ssl cert validation ssl_skip_verify = false # set to the path to your root CA certificate or leave unset to use system defaults root_ca_cert = "/etc/ssl/certs/CA-certificate.crt" # Authentication against LDAP servers requiring client certificates client_cert = "/etc/grafana/client.crt" client_key = "/etc/grafana/client.key" # Search user bind dn bind_dn = "cn=adbind_grafana,ou=usersdc=mydomain,dc=org" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" bind_password = 'very_long_random_password' # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" #search_filter = "(cn=%s)" search_filter = "(sAMAccountName=%s)" # An array of base dns to search through search_base_dns = ["dc=mydomain,dc=org"] # Specify names of the ldap attributes your ldap uses [servers.attributes] name = "givenName" surname = "sn" username = "cn" member_of = "memberOf" email = "email" # Map ldap groups to grafana org roles [[servers.group_mappings]] group_dn = "cn=grafana-admins,ou=Groups,dc=mydomain,dc=org" org_role = "Admin" [[servers.group_mappings]] group_dn = "cn=grafana-editors,ou=Groups,dc=mydomain,dc=org" org_role = "Editor" [[servers.group_mappings]] group_dn = "cn=grafana-viewers,ou=Groups,dc=mydomain,dc=org" org_role = "Viewer"
Define the ldap setting by editing /etc/grafana/grafana.ini
[auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml allow_sign_up = false
Step 4: SMTP
Configure smtp by editing /etc/grafana/grafana.ini
[smtp] enabled = true host = localhost:25 from_address = grafana@mydomain.org from_name = Grafana
Step 5: Data Sources
Create a Prometheus Data Source by logging on to grafana and under settings -> Data Sources define the Prometheus data source
- Name: DS-Prometheus
- URL: https://myhost.mydomain.org:9090
- SSL: Either skip TLS Verify (unsigned certificate) or select With CA Cert and add CA certificate
- Prometheus type: Prometheus
- Prometheus version: 2.24.x (Debian 11)
Create a InfluxDB Data Source by logging on to grafana and under settings -> Data Sources define the InfluxDB data source
- Name: DS-InfluxDB-telegraf
- Query Language: InfluxQL
- URL: https://myhost.mydomain.org:8086
- With Credentials: enabled
- SSL: Either skip TLS Verify (unsigned certificate) or select With CA Cert and add CA certificate
- Database: telegraf
- Define user and password