Cool Solution - Grafana

Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Grafana offers an open source dashboards for visualizing your data. It can be used, for example, for visualizing data from ElasticSearch.


Set the Repository

Add the Grafana GPG Key

wget -qO - | sudo apt-key add -

Add the repository

echo "deb stretch main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list

Install Grafana

Install Grafana

univention-install grafana

Start Grafana and enable it as an autostarting service

systemctl enable grafana-server.service
systemctl start grafana-server.service

Open the Firewall

The user can reach Grafana by default using the port 3000. This port has to be opened in the firewall using the following ucr command

ucr set security/packetfilter/tcp/3000/all=ACCEPT \

Restart the univention Firewall

systemctl restart univention-firewall

Grafana LDAP Integration

The LDAP integration makes use of the memberOf overlay, please see the documentation about activating it.

To enable the LDAP integration open the configuration file /etc/grafana/grafana.ini, search for the LDAP authentication and activate the integration by setting the variable allow_sign_up to true.

The following script configures the actual LDAP integration to match your system. Please note that it will change your Domain Admins to be Grafana Admins and your Domain Users to be Editors. You might want to adapt it to your specific environment.

cat > /etc/grafana/ldap.toml <<_EOL_

host = "$(ucr get ldap/server/name)"
port = $(ucr get ldap/server/port)
use_ssl = false
start_tls = true
ssl_skip_verify = false
root_ca_cert = "/etc/univention/ssl/ucsCA/CAcert.pem"
bind_dn = "$(ucr get ldap/hostdn)"
bind_password = "$(cat /etc/machine.secret)"
search_filter = "(&(uid=%s)(univentionObjectType=users/user))"
search_base_dns = ["$(ucr get ldap/base)"]

# Specify names of the ldap attributes your ldap uses
name = "givenName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email =  "mailPrimaryAddress"

# Map ldap groups to grafana org roles
group_dn = "cn=Domain Admins,cn=groups,$(ucr get ldap/base)"
org_role = "Admin"

group_dn = "cn=Domain Users,cn=groups,$(ucr get ldap/base)"
org_role = "Editor"

group_dn = "*"
org_role = "Viewer"


Now restart Grafana again.

systemctl restart grafana-server.service

Configure Grafana

Grafana utilizes multiple plugins to import and visualize data. Navigate your web browser to

https://<ip of your server>:3000

The default username is admin and the password likewise is admin


Please ensure, that you have configured not only ElasticSearch but also, that you have already collected Data in the Database.

During the configuration, you will be asked to configure a Datasearch. Here you can select ElasticSearch. If you followed our guide, select the URL http://localhost:9200 and set Access to proxy

The index in our example is composed out of the [filebeat-6.2.3-]YYYY.MM.DD. For the Pattern select Daily. Leave the Time field name and select version 5.6+. Most beats for ElasticSearch write every minute. Thus 1m in Min interval should be sufficient. If you are monitoring some servers more frequently, you might want to change it to something different, e.g., 10s.

The index for metricbeat data has the same format [metricbeat-6.2.3-]YYYY.MM.DD. You can find more indices with following command

curl -XGET 'localhost:9200/_cat/indices?v'


Depending on how much data you have in your database, you might need to wait a couple of minutes before you can start creating a new Dashboard. To create a dashboard merely select the desired components and drag them into the Dashboard.

This topic was automatically closed after 24 hours. New replies are no longer allowed.