Grafana

Grafana logo.svgGrafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

 

Step 1: Install Grafana

Add the grafana GPG key to trusted repository

# curl -fsSL https://packages.grafana.com/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/grafana.key

Add the grafana package repository to the apt sources /etc/apt/sources.list.d/grafana.list

# echo "deb [signed-by=/usr/share/keyrings/grafana.key] https://apt.grafana.com stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list

Install the Grafana software pacakge

# apt install grafana

Start and enable grafana

# systemctl enable grafana
# systemctl start grafana

Step 2: Enable TLS/SSL

Generate host certificates for this specific service and place them in the system SSL repository with appropriate permissions:

# mkdir /etc/grafana/ssl

# cp <service-key> /etc/grafana/ssl/grafana.key
# cp <service-cert> /etc/grafana/ssl/grafana.pem

# chown root:grafana /etc/grafana/ssl/grafana.key
# chown root:grafana /etc/grafana/ssl/grafana.pem

# chmod 640 /etc/grafana/ssl/grafana.key
# chmod 644 /etc/grafana/ssl/grafana.pem

Edit the grafana configuration file /etc/grafana/grafana.ini, enable SSL:

[server]
# Protocol (http, https, h2, socket)
protocol = https

...

# enable gzip
enable_gzip = false
# https certs & key file
cert_file = /etc/grafana/ssl/grafana.pem
cert_key = /etc/grafana/ssl/grafana.key

Restart and enable grafana

# systemctl restart grafana

Step 3: LDAP

Grafana does support LDAP integration, in my case I used Active Directory as an authentication source. I defined three primary groups for grafana:

  • Grafana Role Admin – grafana-admins
  • Grafana Role Editor – grafana-editors
  • Grafana Roles View – grafana-viewers

Configure ldap by editing /etc/grafana/ldap.tomlin my case AD is running SSL and I perform certificate validations, but change underneath to match your use case.

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "192.168.100.23 192.168.100.24 192.168.100.25"
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = true
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
root_ca_cert = "/etc/ssl/certs/CA-certificate.crt"
# Authentication against LDAP servers requiring client certificates
client_cert = "/etc/grafana/client.crt"
client_key = "/etc/grafana/client.key"

# Search user bind dn
bind_dn = "cn=adbind_grafana,ou=usersdc=mydomain,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'very_long_random_password'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
#search_filter = "(cn=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=mydomain,dc=org"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=grafana-admins,ou=Groups,dc=mydomain,dc=org"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "cn=grafana-editors,ou=Groups,dc=mydomain,dc=org"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "cn=grafana-viewers,ou=Groups,dc=mydomain,dc=org"
org_role = "Viewer"

Define the ldap setting by editing /etc/grafana/grafana.ini

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = false

Step 4: SMTP

Configure smtp by editing /etc/grafana/grafana.ini

[smtp]
enabled = true
host = localhost:25
from_address = grafana@mydomain.org
from_name = Grafana

Step 5: Data Sources

Create a Prometheus Data Source by logging on to grafana and under settings -> Data Sources define the Prometheus data source

  • Name: DS-Prometheus
  • URL: https://myhost.mydomain.org:9090
  • SSL: Either skip TLS Verify (unsigned certificate) or select With CA Cert and add CA certificate
  • Prometheus type: Prometheus
  • Prometheus version: 2.24.x (Debian 11)

 

Create a InfluxDB Data Source by logging on to grafana and under settings -> Data Sources define the InfluxDB data source

  • Name: DS-InfluxDB-telegraf
  • Query Language: InfluxQL
  • URL: https://myhost.mydomain.org:8086
  • With Credentials: enabled
  • SSL: Either skip TLS Verify (unsigned certificate) or select With CA Cert and add CA certificate
  • Database: telegraf
  • Define user and password