Add Windows Active Directory Mixin (#1105)

* initial

* updated readme + alerts

* checkpoint

* mixin finished

* added alerts

* added lint

* update readme

* added alerts panel

* Capitalization Changes

* readme update

* readme update

* Extraneous replication panel removal

* lint fix

* stefan 2/n

* Vitaly feedback 1/n

* updated links

* hide ad alerts behind feature flag

* Update windows-mixin/config.libsonnet

---------

Co-authored-by: v-zhuravlev <[email protected]>

Author: BominRahmani

windows-active-directory-mixin/.lint

@@ -0,0 +1,15 @@
+exclusions:
+  template-job-rule:
+    reason: "Prometheus datasource variable is being named as prometheus_datasource now while linter expects 'datasource'"
+  panel-datasource-rule:
+    reason: "Loki datasource variable is being named as loki_datasource now while linter expects 'datasource'"
+  template-datasource-rule:
+    reason: "Based on new convention we are using variable names prometheus_datasource and loki_datasource where as linter expects 'datasource'"
+  template-instance-rule:
+    reason: "Based on new convention we are using variable names prometheus_datasource and loki_datasource where as linter expects 'datasource'"
+  target-job-rule:
+    reason: "mixtool upgrade made this rule stricter. TODO: Fix errors and remove the warning exclusion"
+  panel-title-description-rule:
+    reason: "Not required for logs volume"
+  panel-units-rule:
+    reason: "Logs volume has no unit"

windows-active-directory-mixin/Makefile

@@ -0,0 +1,34 @@
+JSONNET_FMT := jsonnetfmt -n 2 --max-blank-lines 1 --string-style s --comment-style s
+
+.PHONY: all
+all: build dashboards_out prometheus_alerts.yaml
+
+vendor: jsonnetfile.json
+	jb install
+
+.PHONY: build
+build: vendor
+
+.PHONY: fmt
+fmt:
+	find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
+		xargs -n 1 -- $(JSONNET_FMT) -i
+
+.PHONY: lint
+lint: build
+	find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
+		while read f; do \
+			$(JSONNET_FMT) "$$f" | diff -u "$$f" -; \
+		done
+	mixtool lint mixin.libsonnet
+
+dashboards_out: mixin.libsonnet config.libsonnet $(wildcard dashboards/*)
+	@mkdir -p dashboards_out
+	mixtool generate dashboards mixin.libsonnet -d dashboards_out
+
+prometheus_alerts.yaml: mixin.libsonnet alerts/*.libsonnet
+	mixtool generate alerts mixin.libsonnet -a prometheus_alerts.yaml
+
+.PHONY: clean
+clean:
+	rm -rf dashboards_out prometheus_alerts.yaml

windows-active-directory-mixin/README.md

@@ -0,0 +1,154 @@
+# Windows Active Directory mixin
+The Windows Active Directory mixin is a set of configurable Grafana dashboards and alerts.
+
+The Windows Active Directory mixin contains the following dashboards:
+
+- Windows Active Directory overview
+- Windows logs
+
+and the following alerts:
+
+- WindowsActiveDirectoryHighPendingReplicationOperations
+- WindowsActiveDirectoryHighReplicationSyncRequestFailures
+- WindowsActiveDirectoryHighPasswordChange
+- WindowsActiveDirectoryMetricsDown
+
+## Windows Active Directory overview
+The Windows Active Directory overview dashboard provides details on alerts, LDAP operations and requests, bind operations, replication traffic, and database operations.
+![Windows Active Directory overview dashboard (LDAP)](https://storage.googleapis.com/grafanalabs-integration-assets/windows-active-directory/screenshots/windows_active_directory_overview_1.png)
+![Windows Active Directory overview dashboard (database)](https://storage.googleapis.com/grafanalabs-integration-assets/windows-active-directory/screenshots/window_active_directory_overview_2.png)
+
+# Windows logs
+The Windows logs dashboard provides details on incoming Windows application, security, and system logs.
+![Windows logs dashboard](https://storage.googleapis.com/grafanalabs-integration-assets/windows-active-directory/screenshots/windows_active_directory_logs.png)
+
+Windows logs are enabled by default in the `config.libsonnet` and can be disabled by setting `enableLokiLogs` to `false`. Then run `make` again to regenerate the dashboard:
+
+```
+{
+  _config+:: {
+    enableLokiLogs: false,
+  },
+}
+```
+
+For the selectors to properly work with the Windows logs ingested into your logs datasource, please also include the matching `instance` and `job` labels in the [scrape configs](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#scrape_configs) to match the labels for ingested metrics.
+
+```yaml
+    - job_name: integrations/windows-exporter-application
+      windows_events:
+        use_incoming_timestamp: true
+        eventlog_name: 'Application'
+        bookmark_path: "./bookmarks-app.xml"
+        xpath_query: '*'
+        locale: 1033
+        labels:
+           job: integrations/windows_exporter
+           instance: '<your-instance-name>' # must match instance used in windows_exporter
+      relabel_configs:
+        - source_labels: ['computer']
+          target_label: 'agent_hostname'
+      pipeline_stages:
+        - json:
+            expressions:
+              source: source
+              level: levelText
+        - labels:
+            source:
+            level:
+    - job_name: integrations/windows-exporter-system
+      windows_events:
+        use_incoming_timestamp: true
+        bookmark_path: "./bookmarks-sys.xml"
+        eventlog_name: "System"
+        xpath_query: '*'
+        locale: 1033
+        # - 1033 to force English language
+        # -  0 to use default Windows locale
+        labels:
+          job: integrations/windows_exporter
+          instance: '<your-instance-name>' # must match instance used in windows_exporter
+      relabel_configs:
+        - source_labels: ['computer']
+          target_label: 'agent_hostname'
+      pipeline_stages:
+        - json:
+            expressions:
+              source: source
+              level: levelText
+        - labels:
+            source:
+            level:
+    - job_name: integrations/windows-exporter-security
+      windows_events:
+        use_incoming_timestamp: true
+        bookmark_path: "./bookmarks-sys.xml"
+        eventlog_name: "Security"
+        xpath_query: '*'
+        locale: 1033
+        # - 1033 to force English language
+        # -  0 to use default Windows locale
+        labels:
+          job: integrations/windows_exporter
+          instance: '<your-instance-name>' # must match instance used in windows_exporter
+      relabel_configs:
+        - source_labels: ['computer']
+          target_label: 'agent_hostname'
+      pipeline_stages:
+        - json:
+            expressions:
+              source: source
+              level: levelText
+        - labels:
+            source:
+            level:
+
+```
+
+## Alerts overview
+- WindowsActiveDirectoryHighPendingReplicationOperations: There is a high number of pending replication operations in Active Directory. A high number of pending operations sustained over a period of time can indicate a problem with replication.
+- WindowsActiveDirectoryHighReplicationSyncRequestFailures: There are a number of replication synchronization request failures. These can cause authentication failures, outdated information being propagated across domain controllers, and potentially data loss or inconsistencies.'
+- WindowsActiveDirectoryHighPasswordChange: There is a high number of password changes. This may indicate unauthorized changes or attacks.
+- WindowsActiveDirectoryMetricsDown: Windows Active Directory metrics are down.
+
+Default thresholds can be configured in `config.libsonnet`.
+
+```js
+{
+    _configs+:: {
+    // alerts thresholds
+    alertsHighPendingReplicationOperations: 50,  // count
+    alertsHighReplicationSyncRequestFailures: 0, // count
+    alertsHighPasswordChanges: 25, //count
+    alertsMetricsDownJobName: 'integrations/windows',
+    }
+}
+```
+
+## Install tools
+```bash
+go install github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@latest
+go install github.com/monitoring-mixins/mixtool/cmd/mixtool@latest
+```
+
+For linting and formatting, you would also need `jsonnetfmt` installed. If you
+have a working Go development environment, it's easiest to run the following:
+
+```bash
+go install github.com/google/go-jsonnet/cmd/jsonnetfmt@latest
+```
+
+The files in `dashboards_out` need to be imported
+into your Grafana server. The exact details will be depending on your environment.
+
+`prometheus_alerts.yaml` needs to be imported into Prometheus.
+
+## Generate dashboards and alerts
+Edit `config.libsonnet` if required and then build JSON dashboard files for Grafana:
+
+```bash
+make
+```
+
+For more advanced uses of mixins, see
+https://github.com/monitoring-mixins/docs.

windows-active-directory-mixin/g.libsonnet

@@ -0,0 +1 @@
+import 'github.com/grafana/grafonnet/gen/grafonnet-v10.0.0/main.libsonnet'

windows-active-directory-mixin/jsonnetfile.json

@@ -0,0 +1,15 @@
+{
+  "version": 1,
+  "dependencies": [
+    {
+      "source": {
+        "git": {
+          "remote": "https://github.com/grafana/jsonnet-libs.git",
+          "subdir": "windows-observ-lib"
+        }
+      },
+      "version": "master"
+    }
+  ],
+  "legacyImports": true
+}

windows-active-directory-mixin/mixin.libsonnet

@@ -0,0 +1,50 @@
+local windowsobservlib = import '../windows-observ-lib/main.libsonnet';
+local alerts = import './alerts/alerts.libsonnet';
+local g = import './g.libsonnet';
+local var = g.dashboard.variable;
+local activedirectorymixin =
+  windowsobservlib.new(
+    filteringSelector='job=~"integrations/windows_exporter"',
+    uid='active-directory',
+    groupLabels=['job'],
+    instanceLabels=['instance'],
+  )
+
+  {
+    config+: {
+      enableADDashboard: true,
+    },
+  }
+
+  {
+    grafana+: {
+      local link = g.dashboard.link,
+      links: {
+        otherDashboards:
+          link.dashboards.new('All Windows Active Directory dashboards', activedirectorymixin.config.dashboardTags)
+          + link.dashboards.options.withIncludeVars(true)
+          + link.dashboards.options.withKeepTime(true)
+          + link.dashboards.options.withAsDropdown(true),
+      },
+      variables+: {
+        datasources+: {
+          loki+: var.datasource.withRegex('Loki|.+logs'),
+          prometheus+: var.datasource.withRegex('Prometheus|Cortex|Mimir|grafanacloud-.+-prom'),
+        },
+      },
+
+    },
+  };
+
+local activedirectorydashboards = ['activedirectory', 'logs'];
+local selectedDashboards = {
+  [key]: activedirectorymixin.grafana.dashboards[key]
+  for key in activedirectorydashboards
+  if key in activedirectorymixin.grafana.dashboards
+};
+
+{
+  grafanaDashboards+:: selectedDashboards,
+  prometheusAlerts+:: activedirectorymixin.prometheus.alerts,
+  prometheusRules+:: activedirectorymixin.prometheus.recordingRules,
+}

windows-mixin/config.libsonnet

@@ -18,6 +18,7 @@
     alertsCPUThresholdWarning: '90',
     alertMemoryUsageThresholdCritical: '90',
     alertDiskUsageThresholdCritical: '90',
+    enableADDashboard: false,
     // set to false to disable logs dashboard and logs annotations
     enableLokiLogs: true,
   },

windows-observ-lib/alerts.libsonnet

@@ -1,6 +1,75 @@
 {
   new(this): {
-
+    local ADAlerts = [
+      {
+        alert: 'WindowsActiveDirectoryHighPendingReplicationOperations',
+        expr: |||
+          windows_ad_replication_pending_operations{%(filteringSelector)s} >= %(alertsHighPendingReplicationOperations)s 
+        ||| % this.config,
+        'for': '10m',
+        labels: {
+          severity: 'warning',
+        },
+        annotations: {
+          summary: 'There is a high number of pending replication operations in Active Directory. A high number of pending operations sustained over a period of time can indicate a problem with replication.',
+          description:
+            (
+              'The number of pending replication operations on {{$labels.instance}} is {{ printf "%%.0f" $value }} which is above the threshold of %(alertsHighPendingReplicationOperations)s.'
+            ) % this.config,
+        },
+      },
+      {
+        alert: 'WindowsActiveDirectoryHighReplicationSyncRequestFailures',
+        expr: |||
+          increase(windows_ad_replication_sync_requests_schema_mismatch_failure_total{%(filteringSelector)s}[5m]) > %(alertsHighReplicationSyncRequestFailures)s 
+        ||| % this.config,
+        'for': '5m',
+        labels: {
+          severity: 'critical',
+        },
+        annotations: {
+          summary: 'There are a number of replication synchronization request failures. These can cause authentication failures, outdated information being propagated across domain controllers, and potentially data loss or inconsistencies.',
+          description:
+            (
+              'The number of replication sync request failures on {{$labels.instance}} is {{ printf "%%.0f" $value }} which is above the threshold of %(alertsHighReplicationSyncRequestFailures)s.'
+            ) % this.config,
+        },
+      },
+      {
+        alert: 'WindowsActiveDirectoryHighPasswordChanges',
+        expr: |||
+          increase(windows_ad_sam_password_changes_total{%(filteringSelector)s}[5m]) > %(alertsHighPasswordChanges)s
+        ||| % this.config,
+        'for': '5m',
+        labels: {
+          severity: 'warning',
+        },
+        annotations: {
+          summary: 'There is a high number of password changes. This may indicate unauthorized changes or attacks.',
+          description:
+            (
+              'The number of password changes on {{$labels.instance}} is {{ printf "%%.0f" $value }} which is greater than the threshold of %(alertsHighPasswordChanges)s'
+            ) % this.config,
+        },
+      },
+      {
+        alert: 'WindowsActiveDirectoryMetricsDown',
+        expr: |||
+          up{job="%(alertsMetricsDownJobName)s"} == 0
+        ||| % this.config,
+        'for': '5m',
+        labels: {
+          severity: 'critical',
+        },
+        annotations: {
+          summary: 'Windows Active Directory metrics are down.',
+          description:
+            (
+              'There are no available metrics for Windows Active Directory integration from instance {{$labels.instance}}.'
+            ) % this.config,
+        },
+      },
+    ],
     groups: [
       {
         name: 'windows-alerts-' + this.config.uid,
@@ -120,7 +189,7 @@
               ||| % this.config,
             },
           },
-        ],
+        ] + if this.config.enableADDashboard then ADAlerts else [],
       },
     ],
   },