Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, Alerting, Monitoring, and More With t...

Elastic Co
February 18, 2016
Technology
2
4.8k

Security, Alerting, Monitoring, and More With the Elastic Stack

Elastic's Jay Modi, Alexander Reelsen, Joe Fleming, Tanguy Leroux, and Tim Sullivan present X-Pack — and all the cool features it brings to the Elastic Stack — at Elastic{ON}16 in San Francisco on February 18, 2016.

Elastic Co

February 18, 2016
Tweet

More Decks by Elastic Co

See All by Elastic Co
Les Vendredis noirs : même pas peur ! - Breizhcamp
elastic
15
860
Confoo Montreal: Ingest node: enriching documents within Elasticsearch
elastic
16
840
Elastic{ON} 2018 - Sipping from the Firehose: Scalable Endpoint Data for Incident Response
elastic
6
4.2k
Elastic{ON} 2018 - A Security Analytics Platform for Today
elastic
3
11k
Elastic{ON} 2018 - The State of Geo in Elasticsearch
elastic
7
12k
Elastic{ON} 2018 - Reliable by design - Applying formal methods to distributed systems
elastic
5
4.7k
Elastic{ON} 2018 - Bigger, Faster, Stronger - Leveling Up Enterprise Logging
elastic
1
5k
Elastic{ON} 2018: Latest in Logstash
elastic
1
4.5k
Elastic{ON} 2018 - Lessons Learned from Workday's Search Application Journey from POC to Production
elastic
2
2.4k

Other Decks in Technology

See All in Technology
株式会社島津製作所_研究開発(集団協業と知的生産)の現場を支える、OSS知識基盤システムの導入
akahane92
1
190
"君は見ているが観察していない"で考えるインシデントマネジメント
grimoh
4
1.1k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
0
110
元旅行会社の情シス部員が教えるおすすめなre:Inventへの行き方 / What is the most efficient way to re:Invent
naospon
2
290
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
540
フルカイテン株式会社 採用資料
fullkaiten
0
40k
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
AWS パートナー企業でテクニカルサポートに従事して 3年経ったので思うところをまとめてみた
kazzpapa3
1
220
GraphRAGを用いたLLMによるパーソナライズド推薦の生成
naveed92
0
200
State of Open Source Web Mapping Libraries
dayjournal
0
220
今、始める、第一歩。 / Your first step
yahonda
2
710
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
290

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
31
6.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
560
The Invisible Side of Design
smashingmag
297
50k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
RailsConf 2023
tenderlove
29
890
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Measuring & Analyzing Core Web Vitals
bluesmoon
3
77

Transcript

  1. ‹#› Security, Alerting, Monitoring and More with the Elastic Stack

  2. Monitoring Tanguy Leroux Tim Sullivan @tlrx @timsullivanyeah All the Things

  3. ‹#› Logging and monitoring are at the heart of making

    sure your solutions are up and running to your expectations. - David Messina VP, Enterprise Marketing at Docker’s VP of Enterprise Marketing

  4. ‹#› And then Marvel 1.0 Arrived First commercial plugin of

    Elastic!

  5. Cluster Pulse 5

  6. ‹#›

  7. ‹#›

  8. ‹#› Monitoring for Elasticsearch 2.x Yes, we like to rename

    things :)

  9. Multi-Cluster Support 9

  10. Cluster Overview at a Glance 10

  11. Node Listing 11

  12. ‹#›

  13. 19 Kibana 5 New design Issues Cross-Stack Monitoring

  14. ‹#› Spotlight Theater @ 4:40pm Monitoring Elasticsearch

  15. Security Don’t Hack Me Bro! Jay Modi @jaymode2001

  16. 16 Security for the Elastic Stack • Username/password protection Simply

    Secure Elasticsearch Advanced Security When Needed • LDAP, Active Directory, and PKI integration • Role-based access control • Field and document level security • Encrypted communication • Auditing

  17. Adding Users (now) Command Line Utility 17 $ bin/shield/esusers useradd

    jaymode -r admin Enter new password: Retype new password:

  18. Security APIs User and Role management 18 curl –XPUT localhost:9200/_shield/user/jaymode

    –d ‘ { "roles" : ["engineering", "security"], "password" : "changeme" }’ curl –XPUT localhost:9200/_shield/role/security –d ‘ { "cluster": ["all"], "indices": [ { "names": ".shield_audit_log-*",
 "privileges": ["all"] } ] }’

  19. Kibana Sessions and Login Screen 19

  20. User and Roles UI 20

  21. ‹#› Security Configuration API & UI

  22. ‹#› Kibana Security

  23. ‹#› Built In Users

  24. ‹#› Spotlight Theater @ 2:40pm Securing Elasticsearch

  25. Alerting Watch This! Alexander Reelsen @spinscale

  26. ‹#› Notify me on chat, if we have over 1000

    orders per hour - The Startup CEO

  27. ‹#› Trigger an alert, when the same IP accesses all

    services in a certain interval - Your Admin

  28. ‹#› Email me when the product is back in stock!

    - Desperate Online Shopper

  29. ‹#› 5% traffic increase in the last 5 minutes. Ping

    folks on chat! - Your Loadbalancer

  30. ‹#› 5% traffic increase in the last 5 minutes at

    2am. Pager time! - Not your SO

  31. ‹#› Can you predict the additional system resources for the

    next two weeks? - Every system architect ever

  32. 32 A Watch consists of… • Trigger • Input •

    Condition • Actions • Metadata • Transformation

  33. { } 33 PUT /_watcher/watch/cluster_health

  34. { "trigger" : { "schedule" : { "interval" : "10s"

    } } } 34 PUT /_watcher/watch/cluster_health

  35. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } } } 35 PUT /_watcher/watch/cluster_health

  36. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } }, "condition" : { "compare" : { "ctx.payload.status" : { "eq" : "red" } } } } 36 PUT /_watcher/watch/cluster_health

  37. { "trigger" : { "schedule" : { "interval" : "10s"

    } }, "input" : { "http" : { "request" : { "url" : "http://localhost:9200/_cluster/health" } } }, "condition" : { "compare" : { "ctx.payload.status" : { "eq" : "red" } } }, "actions" : { "send_email" : { "email" : { "to" : "[email protected]", "subject" : "Cluster Status Warning", "body" : "Cluster status is RED" } } } } 37 PUT /_watcher/watch/cluster_health

  38. ‹#› Recap

  39. 2.0: Hipchat action 39 "actions" : { "notify-hipchat" : {

    "hipchat" : { "account" : "integration-account", "message" : { "body" : "@{{ctx.metadata.userOnDuty}} Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "format" : "text", "color" : "red", "notify" : true } } } }

  40. 2.0: Slack action 40 "actions" : { "notify-slack" : {

    "slack" : { "message" : { "from" : "watcher", "to" : [ "#admins", "#errors" ] , "text" : "Monitoring incident", "attachments" : [ { "text" : "@{{ctx.metadata.userOnDuty}} Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "title" : "text", "color" : "danger" ] } ...

  41. 2.0: Activate/Deactivate REST API 41 PUT /_watcher/watch/<watch_id>/_activate PUT /_watcher/watch/<watch_id>/_deactivate

  42. 2.0: Array Compare 42 "condition": { "array_compare": { "ctx.payload.aggregations.top_tweeters.buckets" :

    { "path": "doc_count", "gte": { "value": 25, "quantifier": "some" } } } }

  43. 2.1: Chained inputs 43 "input" : { "chain": { "inputs":

    [ { "first": { "simple" : { "path" : "/_search" } } }, { "second": { "http" : { "request" : { … } } } } ] } } ... }

  44. 2.1: Chained inputs 44 {{ctx.payload.second.hits.total}} {{ctx.payload.first.path}} "input" "chain" "inputs" "first"

    "second" } } ... }

  45. 2.3: PagerDuty action 45 "actions" : { "notify-pagerduty" : {

    "pagerduty" : { "message" : { "description" : "Main system down, please check! Happened at {{ctx.execution_time}}", "client" : "/foo/bar/{{ctx.watch_id}}", "attach_payload" : true, "context" : [ { "type" : "response", "href" : "http://www.test.de/foo" } ] ...

  46. 2.3: External email attachments 46 "actions" : { "email_admin" :

    { "email" : { "to" : "[email protected]", "attachments" : { "my_id" : { "http" : { "request" : { "url" : "http://example.org/daily-report.pdf" } } } } } ...

  47. ‹#› What's next?

  48. ‹#› Curator

  49. ‹#› Watcher UI

  50. ‹#› Actions

  51. ‹#› Friday, Lunch area @ 11:00am BoF: Alerting & Notifications

    Share Your Watcher Stories

  52. Reporting Kibana For Your Inbox Joe Fleming @w33ble

  53. ‹#› I need this information. Can you send me a

    report? - Every Manager Ever

  54. 54

  55. 55

  56. ‹#› Network’s down. Meeting’s over. - No Manager Ever

  57. None
  58. None

  59. Delivery with Alerting 59 "actions" : { "email_admin" : {

    "email" : { "to" : "[email protected]", "attachments" : { "my_id" : { "http" : { "request" : { "url" : "http://example.org/daily-report.pdf" } } } } } ...

  60. ‹#› 5.0 Alpha 1

  61. ‹#› Distributed Rendering

  62. ‹#› Administrative Control

  63. ‹#› Historical Archive

  64. ‹#› Spotlight Theater @ 3:40pm From Dashboard to PDF Generate

    Reports with the Elastic Stack

  65. 65

  66. ‹#› Monitoring Elasticsearch Securing Elasticsearch From Dashboard to PDF BoF:

    Alerting & Notifications Spotlight Theater: 2:40pm Spotlight Theater: 3:40pm Spotlight Theater: 4:40pm Lunch Area: Friday at 11:00am