Enabling Enterprise Search Platform with Elastic Stack

34cbde72de5f384380d5489543294dc5?s=47 Kosho Owa
June 27, 2016
Technology
0
1.6k

Enabling Enterprise Search Platform with Elastic Stack

ElasticsearchとLogstashで始めるEnterprise Search Platform
Elasticsearch勉強会スライド
2016年6月27日

34cbde72de5f384380d5489543294dc5?s=128

Kosho Owa

June 27, 2016
Tweet

More Decks by Kosho Owa

See All by Kosho Owa
34cbde72de5f384380d5489543294dc5?s=48 kosho
1
9.9k
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
220
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
220
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
610
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
1.5k
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
66
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
120
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
48
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
98

Other Decks in Technology

See All in Technology
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
2
260
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
2
430
44b799f91cc48e38c5fe9f5d9c5ecc61?s=48 takaichi00
28
11k
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
2.4k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
260
5919537a0ecfa5d4dea704cf878ae90e?s=48 toshimaru
29
11k
Ad22fcf5773b906c08330f4d57242212?s=48 inductor
3
760
18f1e3993e9ead63e7a0f70d9eb996bb?s=48 wkm2
0
130
Ad22fcf5773b906c08330f4d57242212?s=48 inductor
13
2.1k
C21becdee5cd08b34c7452276e64c1fe?s=48 yamamuteki
6
1.1k
Ca7e4f1680e175e6462a039923e71fc5?s=48 kyokonishito
0
170
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200

Featured

See All Featured
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
293
38k
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
652
54k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
218
14k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
70
3.3k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
325
34k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
93
5k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
366
42k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
49
3.2k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
154
6.1k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
142
19k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
2
290

Transcript

  1. ‹#› Kosho Owa, Solutions Architect, Elastic Elasticsearch Meetup Tokyo, 2016-06-27

    ElasticsearchͱLogstashͰ࢝ΊΔ Enterprise Search Platform

  2. Elastic StackͷϢʔεέʔε 2 ϩά + ෼ੳ ݕࡧ

  3. ElasticsearchͱLogstashͰ࢝ΊΔEnterprise Search • Ϣʔβ͸SambaͰڞ༗͞ΕͨετϨʔδʹυΩϡϝϯτΛอଘ͢Δ • υΩϡϝϯτͷ௥Ճɺߋ৽ɺ࡟আ΁λΠϜϦʔʹ௥ै͠ɺυΩϡϝϯτΛ ΠϯσοΫε͢Δ • Ϣʔβ͸΢ΣϒͷΠϯλʔϑΣΠεΛ௨ͯ͡ݕࡧ͢Δ (ࠓճͷείʔϓ֎)

    3

  4. ϑϩʔ 4 ࡞੒ɺߋ৽ɺ࡟আ͞ ΕͨϑΝΠϧͷ؂ࢹ ϑΝΠϧͷύʔε υΩϡϝϯτͷ࡞੒ɺ ߋ৽ɺ࡟আ ݕࡧΠϯλʔϑΣΠ εͷఏڙ σʔλͷ౤ೖ

  5. υΩϡϝϯτͷ࡞੒ɺߋ৽ɺ࡟আͷݕग़ 5 ΠϯλʔϑΣΠε ಛ௃ inotify ଟ͘ͷσΟετϦϏϡʔγϣϯͰར༻Մೳ ؂ࢹର৅σΟϨΫτϦ͸શͯྻڍ͢Δඞཁ͕͋Δ fanotify มߋ͕ߦΘΕΔલʹڐՄɾෆڐՄΛܾΊΒΕΔ ରԠ͍ͯ͠ͳ͍σΟετϦϏϡʔγϣϯ͕ଟ͍

    Linux Security Module ϑΝΠϧʹର͢Δଟ͘ͷΦϖϨʔγϣϯʹରԠ͍ͯ͠Δ ΧʔωϧϞδϡʔϧͱͯ͠࡞੒͢Δඞཁ͕͋Δ Samba VFS - full_audit ଟ͘ͷσΟετϦϏϡʔγϣϯͰར༻Մೳ ؂ࠪϩάʹϑΝΠϧͷมߋ͕ग़ྗ͞ΕΔ

  6. vfs_full_audit ग़ྗαϯϓϧ 6 Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|open|ok|w|sample.txt Jun

    18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|fstat|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|kernel_flock|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|create_file|ok|0x12019f|file| open_if|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|stat|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|sys_acl_get_file|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|get_nt_acl|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|strict_lock|ok|sample.txt:0-9:0 Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|pread|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|strict_unlock|ok|sample.txt: 0-9:0 Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|fstat|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|ntimes|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|strict_lock|ok|sample.txt:0-9:1 Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|fstat|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|pwrite|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|strict_unlock|ok|sample.txt: 0-9:1 Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|kernel_flock|ok|sample.txt Jun 18 05:50:08 ip-172-30-2-93 smbd_audit: nobody|172.30.2.196|close|ok|sample.txt

  7. Sambaͷઃఆ • SambaͰڞ༗͍ͯ͠ΔྖҬͷvfs objectͱͯ͠full_auditΛࢦఆ • pwrite, rename, unlink ΠϕϯτͷΈ؂ࢹ͢Δ 7

    # /etc/samba/smb.conf [public] comment = Public Stuff path = /home/samba … vfs objects = full_audit full_audit:success = pwrite rename unlink full_audit:failure = none

  8. υΩϡϝϯτͷύʔε Mapper Attachments Plugin 8 $ cd elasticserach $ bin/plugin

    install mapper-attachments • Elasticsearch Plugins and Integrations > Mapper Plugins > Mapper Attachments Plugin -https:// www.elastic.co/guide/en/elasticsearch/plugins/2.3/mapper-attachments.html • Elasticsearch΁ͷΠϯετʔϧ • PPT, XLS, PDFͳͲͷҰൠతͳϑΥʔϚοτͷυΩϡϝϯτΛTikaΛ࢖༻ ͯ͠ςΩετ৘ใΛൈ͖ग़͠ɺΠϯσοΫε͢Δ • Elasticsearch 5.0.0Ͱ͸ingest-attachmentʹஔ͖׵͑ݟࠐΈ

  9. Mappingͷ࡞੒ 9 $ curl -d localhost:9200/docs -d ‘ { "mappings"

    : { "_default_" : { "properties" : { "file" : { "type" : "attachment", "fields" : { "content" : { "type" : "string", "store" : true, "term_vector" : "with_positions_offsets", "analyzer" : "kuromoji" }, "author" : { "type" : "string", "store" : true, "analyzer" : "kuromoji" }, "title" : { "type" : "string", "store" : true, "analyzer" : "kuromoji" }, "name" : { "type" : "string", "store" : true, "analyzer" : "kuromoji" }, "date" : { "type" : "string", "store" : true }, "keywords" : { "type" : "string", "store" : true }, "content_type" : { "type" : "string", "store" : true }, "content_length" : { "type" : "string", "store" : true }, "language" : { "type" : "string", "store" : true } }}}}}}’

  10. σʔλͷ౤ೖ • ϑΝΠϧͷύεͷSHA-1ΛElasticsearchͷυΩϡϝϯτͷ_idͱͯ͠࠾༻͢Δ • ϑΝΠϧͷ಺༰ΛBase64ͰΤϯίʔυͯ͠ɺ_contentϑΟʔϧυͷ಺༰ͱ͠ ͯPUT͢Δ • ϑΝΠϧ͕࡟আ΍໊લ͕มߋ͞Εͨ৔߹ʹ͸ݹ͍υΩϡϝϯτΛDELETE͢Δ 10 $

    curl localhost:9200/docs/doc/`echo sample.txt | sha1sum | cut -d’ ‘ -f1` -d ‘ { "_content": “ewogICJtYXBwaW5nc....gfQp9Cg==" }' $ curl -XDELETE localhost:9200/docs/doc/`echo sample.txt | md5sum | cut -d’ ‘ -f1`

  11. ΠϕϯτͷύΠϓϥΠϯॲཧ Logstash 11 input filter output stdin file syslog jdbc

    kafka s3 … grok geoip anonymize date mutate ruby csv … elasticsearch file csv http kafka stdout syslog …

  12. Logstash - input {} ؂ࠪϩάͷมߋΛ؂ࢹ͢Δ 12 input { file {

    path => "/var/log/messages" } }

  13. Logstash - filter {} 1/2 full_audit ϩάͷύʔεͱɺ_idͷܭࢉ 13 filter {

    grok { match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{DATA:process}: % {USER:user}\|%{IP:clientip}\|%{DATA:operation}\|%{DATA:result}\|%{GREEDYDATA:file}" } add_field => { "file_hash" => "%{file}" } } anonymize { key => "something_secret" algorithm => "SHA1" fields => ["file_hash"] } …

  14. Logstash - filter {} 2/2 ϑΝΠϧ໊มߋ࣌ͷ_idͷܭࢉ 14 filter { …

    if "rename" in [operation] { grok { match => { "file" => "%{DATA:file_prev}\|%{GREEDYDATA:file_aft}" } add_field => { "file_prev_hash" => "%{file_prev}" "file_aft_hash" => "%{file_aft}" } } anonymize { key => "something_secret" algorithm => "SHA1" fields => ["file_prev_hash", "file_aft_hash"] } }

  15. Logstash - output {} 1/3 ϑΝΠϧͷ࡞੒ɺߋ৽ 15 output { if

    "pwrite" in [operation] { exec { command => "temp=$(mktemp) ; echo \{ \"file\": \{ \"_content\": \”$(base64 /home/samba/ {file})\”, \"_name\": \"%{file}\"\}\} > $temp ; curl -XPUT localhost:9200/docs/doc/%{file_hash} - d@$temp; rm $temp" } } … }

  16. Logstash - output {} 2/3 ϑΝΠϧ໊ͷมߋ 16 output { …

    if "rename" in [operation] { exec { command => "curl -XDELETE localhost:9200/docs/doc/%{file_prev_hash}" } exec { command => "temp=$(mktemp) ; echo \{ \"file\": \{ \"_content\": \"$(base64 /home/samba/% {file_aft})\”, \"_name\": \"%{file_aft}\"\}\} > $temp ; curl -XPUT localhost:9200/docs/doc/% {file_aft_hash} -d@$temp; rm $temp" } } … }

  17. Logstash - output {} 2/3 ϑΝΠϧͷ࡟আ 17 output { …

    if "unlink" in [operation] { exec { command => "curl -XDELETE localhost:9200/docs/doc/%{file_hash}" } } }

  18. Search 18 $ curl “localhost:9200/docs/_search?q=*&fields=file.title” { "took": 17, "timed_out": false,

    "_shards": { "total": 1, "successful": 1, "failed": 0 }, "hits": { "total": 13, "max_score": 1, "hits": [ { "_index": "docs", "_type": "doc", "_id": "dfb573e25b4b4b612b6694edc63b9ad17450daf0", "_score": 1, "fields": { "file.title": [ “PDFαϯϓϧϑΝΠϧ" ]

  19. Future Work 19 ݕࡧUI ൚༻ੑ ෆ੔߹ͷղফ ηΩϡϦςΟ

  20. Thank you! ϒϩά౳ͷ೔ຊޠίϯςϯπ΋ੋඇ͝ཡ͍ͩ͘͞ 20