Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, Alerting, Monitoring, and More With the Elastic Stack

Elastic Co
February 18, 2016
Technology
2
4.8k

Security, Alerting, Monitoring, and More With the Elastic Stack

Elastic's Jay Modi, Alexander Reelsen, Joe Fleming, Tanguy Leroux, and Tim Sullivan present X-Pack — and all the cool features it brings to the Elastic Stack — at Elastic{ON}16 in San Francisco on February 18, 2016.

Elastic Co

February 18, 2016
Tweet

More Decks by Elastic Co

See All by Elastic Co
Les Vendredis noirs : même pas peur ! - Breizhcamp
elastic
15
780
Confoo Montreal: Ingest node: enriching documents within Elasticsearch
elastic
16
810
Elastic{ON} 2018 - Sipping from the Firehose: Scalable Endpoint Data for Incident Response
elastic
6
4.2k
Elastic{ON} 2018 - A Security Analytics Platform for Today
elastic
3
11k
Elastic{ON} 2018 - The State of Geo in Elasticsearch
elastic
7
12k
Elastic{ON} 2018 - Reliable by design - Applying formal methods to distributed systems
elastic
5
4.7k
Elastic{ON} 2018 - Bigger, Faster, Stronger - Leveling Up Enterprise Logging
elastic
1
4.9k
Elastic{ON} 2018: Latest in Logstash
elastic
1
4.5k
Elastic{ON} 2018 - Lessons Learned from Workday's Search Application Journey from POC to Production
elastic
2
2.4k

Other Decks in Technology

See All in Technology
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
170
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
250
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
270
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
5
520
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
130
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
反実仮想機械学習とは何か
usaito
PRO
11
4.6k
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
Janus
bkuhlmann
1
490
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
120
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
JAWS-UG Bedrock Claude Night
yamahiro
3
600

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Infographics Made Easy
chrislema
238
18k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Unsuck your backbone
ammeep
663
57k
Documentation Writing (for coders)
carmenintech
60
3.9k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k

Transcript

  1. ‹#› Security, Alerting, Monitoring and More with the Elastic Stack

  2. Monitoring Tanguy Leroux Tim Sullivan @tlrx @timsullivanyeah All the Things

  3. ‹#› Logging and monitoring are at the heart of making

    sure your solutions are up and running to your expectations. - David Messina VP, Enterprise Marketing at Docker’s VP of Enterprise Marketing

  4. ‹#› And then Marvel 1.0 Arrived First commercial plugin of

    Elastic!

  5. Cluster Pulse 5

  6. ‹#›

  7. ‹#›

  8. ‹#› Monitoring for Elasticsearch 2.x Yes, we like to rename

    things :)

  9. Multi-Cluster Support 9

  10. Cluster Overview at a Glance 10

  11. Node Listing 11

  12. ‹#›

  13. 19 Kibana 5 New design Issues Cross-Stack Monitoring

  14. ‹#› Spotlight Theater @ 4:40pm Monitoring Elasticsearch

  15. Security Don’t Hack Me Bro! Jay Modi @jaymode2001

  16. 16 Security for the Elastic Stack • Username/password protection Simply

    Secure Elasticsearch Advanced Security When Needed • LDAP, Active Directory, and PKI integration • Role-based access control • Field and document level security • Encrypted communication • Auditing

  17. Adding Users (now) Command Line Utility 17 $ bin/shield/esusers useradd

    jaymode -r admin Enter new password: Retype new password:

  18. Security APIs User and Role management 18 curl –XPUT localhost:9200/_shield/user/jaymode

    –d ‘ { "roles" : ["engineering", "security"], "password" : "changeme" }’ curl –XPUT localhost:9200/_shield/role/security –d ‘ { "cluster": ["all"], "indices": [ { "names": ".shield_audit_log-*",
 "privileges": ["all"] } ] }’

  19. Kibana Sessions and Login Screen 19

  20. User and Roles UI 20

  21. ‹#› Security Configuration API & UI

  22. ‹#› Kibana Security

  23. ‹#› Built In Users

  24. ‹#› Spotlight Theater @ 2:40pm Securing Elasticsearch

  25. Alerting Watch This! Alexander Reelsen @spinscale

  26. ‹#› Notify me on chat, if we have over 1000

    orders per hour - The Startup CEO

  27. ‹#› Trigger an alert, when the same IP accesses all

    services in a certain interval - Your Admin

  28. ‹#› Email me when the product is back in stock!

    - Desperate Online Shopper

  29. ‹#› 5% traffic increase in the last 5 minutes. Ping

    folks on chat! - Your Loadbalancer

  30. ‹#› 5% traffic increase in the last 5 minutes at

    2am. Pager time! - Not your SO

  31. ‹#› Can you predict the additional system resources for the

    next two weeks? - Every system architect ever

  32. 32 A Watch consists of… • Trigger • Input •

    Condition • Actions • Metadata • Transformation

  33. { } 33 PUT /_watcher/watch/cluster_health

  34. { "trigger" : { "schedule" : { "interval" : "10s"

    } } } 34 PUT /_watcher/watch/cluster_health

  35. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } } } 35 PUT /_watcher/watch/cluster_health

  36. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } }, "condition" : { "compare" : { "ctx.payload.status" : { "eq" : "red" } } } } 36 PUT /_watcher/watch/cluster_health

  37. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } }, "condition" : { "compare" : { "ctx.payload.status" : { "eq" : "red" } } }, "actions" : { "send_email" : { "email" : { "to" : "[email protected]", "subject" : "Cluster Status Warning", "body" : "Cluster status is RED" } } } } 37 PUT /_watcher/watch/cluster_health

  38. ‹#› Recap

  39. 2.0: Hipchat action 39 "actions" : { "notify-hipchat" : {

    "hipchat" : { "account" : "integration-account", "message" : { "body" : "@{{ctx.metadata.userOnDuty}} Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "format" : "text", "color" : "red", "notify" : true } } } }

  40. 2.0: Slack action 40 "actions" : { "notify-slack" : {

    "slack" : { "message" : { "from" : "watcher", "to" : [ "#admins", "#errors" ] , "text" : "Monitoring incident", "attachments" : [ { "text" : "@{{ctx.metadata.userOnDuty}} Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "title" : "text", "color" : "danger" ] } ...

  41. 2.0: Activate/Deactivate REST API 41 PUT /_watcher/watch/<watch_id>/_activate PUT /_watcher/watch/<watch_id>/_deactivate

  42. 2.0: Array Compare 42 "condition": { "array_compare": { "ctx.payload.aggregations.top_tweeters.buckets" :

    { "path": "doc_count", "gte": { "value": 25, "quantifier": "some" } } } }

  43. 2.1: Chained inputs 43 "input" : { "chain": { "inputs":

    [ { "first": { "simple" : { "path" : "/_search" } } }, { "second": { "http" : { "request" : { … } } } } ] } } ... }

  44. 2.1: Chained inputs 44 {{ctx.payload.second.hits.total}} {{ctx.payload.first.path}} "input" "chain" "inputs" "first"

    "second" } } ... }

  45. 2.3: PagerDuty action 45 "actions" : { "notify-pagerduty" : {

    "pagerduty" : { "message" : { "description" : "Main system down, please check! Happened at {{ctx.execution_time}}", "client" : "/foo/bar/{{ctx.watch_id}}", "attach_payload" : true, "context" : [ { "type" : "response", "href" : "http://www.test.de/foo" } ] ...

  46. 2.3: External email attachments 46 "actions" : { "email_admin" :

    { "email" : { "to" : "[email protected]", "attachments" : { "my_id" : { "http" : { "request" : { "url" : "http://example.org/daily-report.pdf" } } } } } ...

  47. ‹#› What's next?

  48. ‹#› Curator

  49. ‹#› Watcher UI

  50. ‹#› Actions

  51. ‹#› Friday, Lunch area @ 11:00am BoF: Alerting & Notifications

    Share Your Watcher Stories

  52. Reporting Kibana For Your Inbox Joe Fleming @w33ble

  53. ‹#› I need this information. Can you send me a

    report? - Every Manager Ever

  54. 54

  55. 55

  56. ‹#› Network’s down. Meeting’s over. - No Manager Ever

  57. None
  58. None

  59. Delivery with Alerting 59 "actions" : { "email_admin" : {

    "email" : { "to" : "[email protected]", "attachments" : { "my_id" : { "http" : { "request" : { "url" : "http://example.org/daily-report.pdf" } } } } } ...

  60. ‹#› 5.0 Alpha 1

  61. ‹#› Distributed Rendering

  62. ‹#› Administrative Control

  63. ‹#› Historical Archive

  64. ‹#› Spotlight Theater @ 3:40pm From Dashboard to PDF Generate

    Reports with the Elastic Stack

  65. 65

  66. ‹#› Monitoring Elasticsearch Securing Elasticsearch From Dashboard to PDF BoF:

    Alerting & Notifications Spotlight Theater: 2:40pm Spotlight Theater: 3:40pm Spotlight Theater: 4:40pm Lunch Area: Friday at 11:00am