Graylog root_username and LDAP lookup


We use ‘admin’ as root_username in server.conf and our Security says
they see errors in LDAP logs as if Graylog tries to perform lookups using that user.
Is there a way to prevent Graylog from doing LDAP authentications with the admin user
or is it best to switch username to something else ?

Maybe the best if you use an LDAP user with admin rights.
Unfortunately I have never understood why users use admin/root users. It’s for emergency use. Use every user own user.

Thanks for your reply.
Everyone is able to login on our Graylog cluster using their AD user authenticated against our LDAP server. These are regular users, no admin/root users except us syadmins who have the admin role.
This regards the, i presume, internal root graylog user (which is called admin).
Does Graylog use that user to perform LDAP queries ?

I have same error message in my graylog log, it’s probably a bug. LDAP works, but error is annoying. I tested graylog 3.1 and 3.2.3

rename the root_username to something that is not part of your LDAP. Like “graylog_admin_user” and use this only when LDAP is not working with your unique user like @macko003 already wrote .

@shoothub rename the default admin and in Graylog to something that is not in LDAP and it will work.

1 Like

Thanks Jan.
Is Graylog using this user when trying to do LDAP authentification ?

Can you post the (generic) LDAP error your security group sees?

@tmacgbay I’ll ask them

How the GL try to auth? First check the local DB, then the LDAP, or LDAP, next local?

@Cato @macko003

you can actually configure the order and default is to ask the build in admin user as latest. Means when Graylog itself is polling itself this will create a request to LDAP and if the very same username is given a “wrong password” message and it will then be successful on the last provider which is the build in password.

That is the reason that the build in user can be renamed to work around this situation. Rename that user and all is fine.

1 Like


Here’s an example :
03/18/2020 05:34:51 PM
SourceName=Microsoft Windows security auditing.
Keywords=Audit Failure
Message=An account failed to log on.

Account Name: STODC01$
Account Domain:
Logon ID: 0x3E7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x264
Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:
Workstation Name: STODC01
Source Network Address:
Source Port: 42244

Detailed Authentication Information:
Logon Process: Advapi
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

1 Like


I have changed the order for the authentification providers. If that doesn’t help, i’ll rename the user

Thanks for the information.

This was solved by remaning the Graylog admin user

root_username = graylog_admin_user


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.