'kibana' 태그의 글 목록 (2 Page)

[Elastic] Elastic Agent 테스트.

Elastic 2020. 8. 26. 15:10

[참고문서]

https://www.elastic.co/downloads/elastic-agent

https://www.elastic.co/guide/en/ingest-management/current/index.html

Elastic Agent 를 사용해 보려고 합니다.

최근에 릴리즈 된 Elastic Stack 7.9.0 으로 진행 했습니다.

진행 간에 순서대로 실행한 내용을 그냥 올려 둡니다.

$ bin/elasticsearch -d -p pid
$ bin/elasticsearch-setup-passwords interactive
에러 발생)
{
  "error" : {
    "root_cause" : [
      {
        "type" : "exception",
        "reason" : "Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."
      }
    ],
    "type" : "exception",
    "reason" : "Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."
  },
  "status" : 500
}

xpack security 설정)
$ vi config/elasticsearch.yml
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

재실행)
$ bin/elasticsearch-setup-passwords interactive
$ bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N] y


Enter password for [elastic]: elastic
Reenter password for [elastic]: elastic
Enter password for [apm_system]: elastic
Reenter password for [apm_system]: elastic
Enter password for [kibana_system]: elastic
Reenter password for [kibana_system]: elastic
Enter password for [logstash_system]: elastic
Reenter password for [logstash_system]: elastic
Enter password for [beats_system]: elastic
Reenter password for [beats_system]: elastic
Enter password for [remote_monitoring_user]: elastic
Reenter password for [remote_monitoring_user]: elastic
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

Kibana 설정)
$ vi config/kibana.yml
46 elasticsearch.username: "kibana_system"
47 elasticsearch.password: "elastic"

$ bin/kibana

Kibana 접속)
http://localhost:5601
  ID/PWD
  elastic/elastic

Kibana IngestManager 접속)
http://localhost:5601/app/ingestManager#/

Agent 사용을 위한 Kibana 추가 설정)
xpack.ingestManager.fleet.tlsCheckDisabled: true
xpack.encryptedSavedObjects.encryptionKey: a123456789012345678901234567890b

이후 단계는 아래 문서 대로 따라 합니다.)
https://www.elastic.co/guide/en/ingest-management/current/ingest-management-getting-started.html
./elastic-agent enroll http://localhost:5601 cEpibEtIUUI2akhoRVR0LWdwZVg6blhHNGdMeURUbVNPQUE0RS1GOFduUQ==
./elastic-agent run

$  ./elastic-agent enroll http://localhost:5601 cEpibEtIUUI2akhoRVR0LWdwZVg6blhHNGdMeURUbVNPQUE0RS1GOFduUQ==
The Elastic Agent is currently in BETA and should not be used in production
This will replace your current settings. Do you want to continue? [Y/n]: y
Error: connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)

$ ./elastic-agent enroll http://localhost:5601 cEpibEtIUUI2akhoRVR0LWdwZVg6blhHNGdMeURUbVNPQUE0RS1GOFduUQ== --insecure
The Elastic Agent is currently in BETA and should not be used in production
This will replace your current settings. Do you want to continue? [Y/n]:y
2020-08-26T14:06:01.782+0900  DEBUG kibana/client.go:170  Request method: POST, path: /api/ingest_manager/fleet/agents/enroll
Successfully enrolled the Agent.

$ ./elastic-agent run

Kibana IngestManager 확인)
http://localhost:5601/app/ingestManager#/

Elasticsearch + Kibana + ElasticAgent + Elastic Common Schema 구성이며, 기존에 beats 를 이용해서 log/data shipper 기능을 구현 하던걸 agent 하나로 대체 할 수 있을 것 같습니다.

더불어서 ECS 기반의 Kibana 에서 Dashboard 와 Visualize 에 대해서도 Preset 을 제공 하니 잘 활용하면 아주 멋질 것으로 기대 합니다.

:

[Elasticsearch] X-pack Security API Key 사용 해 보기

Elastic/Elasticsearch 2020. 6. 19. 11:07

Elastic Stack 이 좋은 이유는 기본 Basic license 까지 사용이 가능 하다는 것입니다.

사실 이것 말고도 엄청 많죠 ㅎㅎ

https://www.elastic.co/subscriptions

딱 API keys management 까지 사용이 됩니다. ㅎㅎㅎ

먼저 사용하기에 앞서서 Elasticsearch 와 Kibana 에 x-pack 사용을 위한 설정을 하셔야 합니다.

[Elasticsearch]

- elasticsearch.yml

xpack.monitoring.enabled: true
xpack.ml.enabled: true
xpack.security.enabled: true

xpack.security.authc.api_key.enabled: true
xpack.security.authc.api_key.hashing.algorithm: "pbkdf2"
xpack.security.authc.api_key.cache.ttl: "1d"
xpack.security.authc.api_key.cache.max_keys: 10000
xpack.security.authc.api_key.cache.hash_algo: "ssha256"

위 설정은 기본이기 때문에 환경에 맞게 최적화 하셔야 합니다.

https://www.elastic.co/guide/en/elasticsearch/reference/7.8/security-settings.html#api-key-service-settings

[Kibana]

- kibana.yml

xpack:
  security:
    enabled: true
    encryptionKey: "9c42bff2e04f9b937966bda03e6b5828"
    session:
      idleTimeout: 600000
    audit:
      enabled: true

이렇게 설정 한 후 id/password 설정을 하시면 됩니다.

# bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]

Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

이렇게 설정이 끝나면 kibana 에 접속해서 API key 를 생성 하시면 됩니다.

아래 문서는 생성 시 도움이 되는 문서 입니다.

www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html

www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-put-role.html www.elastic.co/guide/en/elasticsearch/reference/7.7/defining-roles.html www.elastic.co/guide/en/elasticsearch/reference/7.7/security-api-create-api-key.html

Kibana Console 에서 아래와 같이 생성이 가능 합니다.

POST /_security/api_key
{
  "name": "team-index-command",
  "expiration": "10m", 
  "role_descriptors": { 
    "role-team-index-command": {
      "cluster": ["all"],
      "index": [
        {
          "names": ["*"],
          "privileges": ["all"]
        }
      ]
    }
  }
}

{
  "id" : "87cuynIBjKAXtnkobGgo",
  "name" : "team-index-command",
  "expiration" : 1592529999478,
  "api_key" : "OlVGT_Q8RGq1C_ASHW7pGg"
}

생성 이후 사용을 위해서는

- ApiKey 는 id:api_key 를 base64 인코딩 합니다.

base64_encode("87cuynIBjKAXtnkobGgo"+":"+"OlVGT_Q8RGq1C_ASHW7pGg")
==> VGVVOXluSUJHUUdMaHpvcUxDVWo6aUtfSmlEMmdSMy1FUUFpdENCYzF1QQ==

curl -H 
  "Authorization: ApiKey VGVVOXluSUJHUUdMaHpvcUxDVWo6aUtfSmlEMmdSMy1FUUFpdENCYzF1QQ==" 
  http://localhost:9200/_cluster/health

이제 용도와 목적에 맞춰서 API key 를 만들고 사용 하시면 되겠습니다.

:

[Elasticsearch] script 사용 시 "#! Deprecation: Deprecated field [inline] used, expected [source] instead"

Elastic/Elasticsearch 2020. 6. 17. 08:20

에러 메시지를 보면 답이 나와 있습니다.

inline 대신 source 를 사용 하라는 이야기 입니다.

[ASIS]

  "aggs": {
    "3": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30s",
        "time_zone": "Asia/Seoul",
        "min_doc_count": 1
      },
      "aggs": {
        "1": {
          "max": {
            "field": "system.cpu.total.pct",
            "script": {
              "inline": "doc['system.cpu.total.pct'].value *100",
              "lang": "painless"
            }
          }
        }
      }
    }
  }

[TOBE]

  "aggs": {
    "3": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30s",
        "time_zone": "Asia/Seoul",
        "min_doc_count": 1
      },
      "aggs": {
        "1": {
          "max": {
            "field": "system.cpu.total.pct",
            "script": {
              "source": "doc['system.cpu.total.pct'].value *100",
              "lang": "painless"
            }
          }
        }
      }
    }
  }

이상 끝.

:

[Kibana] Docker Compose 실행 시 Permission 오류.

Elastic/Kibana 2020. 5. 11. 14:15

kibana 를 docker-compose 를 이용해서 실행 할 때 설정 파일, kibana.yml 파일에 대한 permission 오류가 발생 할 때가 있습니다.

이 경우 처음 부터 kibana.yml 파일이 있는 위치에 permission 을 부여 해 주거나 docker-compose.yml 파일에서 아래와 같이 추가 하시면 문제를 해결 할 수 있습니다.

user: "1002:0"

- host 서버에서

$ id

uid=1002 gid=20

- container 에서

$ id

uid=1000 gid=0

실행한 놈과 실행 된 놈의 user 가 달라서 발생 하는 오류 입니다.

권한을 주거나 user 를 맞춰 주시면 됩니다.

:

[Kibana] Visualize Metric JSON Input 예제

Elastic/Kibana 2020. 4. 7. 20:11

kibana 에서 visualize 중 metric 을 구성 할 때 또는 다른 visualize 이더라도 비슷 합니다.

JSON Input 은 아래와 같이 넣으 실 수 있습니다.

{
  "script": {
    "inline": "doc['system.filesystem.free'].value / 1024 / 1024 /1024",
    "lang": "painless"
  }
}

좀 더 자세한 내용이 궁금 하신 분들은 아래 문서 한번 보시면 좋습니다.

공식문서)

https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-scripting-fields.html

:

[Kibana] Docker Compose 구성 하기

Elastic/Kibana 2020. 4. 2. 08:28

Kibana를 Docker로 구성 하기 위한 docker-compose.yml 내용을 살펴 봅니다.

참고문서)

https://www.elastic.co/guide/en/kibana/current/docker.html

docker-compose.yml)

version: '2.2'
services:
  ${KIBANA-SERVICE-NAME}:
    image: docker.elastic.co/kibana/kibana:7.6.2
    container_name: ${KIBANA-SERVICE-NAME}
#    depends_on:
#      - ${ES-SERVICE-NAME}
    ports:
      - 5601:5601
    expose:
      - 5601
    environment:
      ELASTICSEARCH_HOSTS: http://host.docker.internal:9200
    networks:
      - ${NETWORK-NAME}

networks:
  ${NETWORK-NAME}:
    driver: bridge

위 설정은 host 에서 Elasticsearch 를 Standalone 으로 띄우고 Kibana 를 컨테이너로 실행 시킨 후 연동 하도록 한 것입니다.

접속은 아래와 같이 하면 됩니다.

- http://localhost:5601

만약, docker-compose.yml 파일 내 Elasticsearch 와 Kibana 를 모두 구성해서 띄우실 때는 아래 설정을 맞춰 주면 됩니다.

- depends_on : 섹션에서 Elasticsearch 실행 후 Kibana 가 실행 되도록 구성

- network 구성은 같은 걸 사용하도록 하고 bridge 로 설정

- kibana 에서 elasticsearch 를 찾기 위해 host.docker.internal 이 아닌 ${ES-SERVICE-NAME} 으로 변경

또는 다른 인스턴스에 Elasticsearch 가 구성이 되어 있다면,

- environment: 섹션에서 host.docker.internal 이 아닌 Elasticsearch가 구성된 인스턴스의 DNS나 IP로 변경

하시면 됩니다.

:

[Kibana] Docker Compose 설정 시 environment 중

Elastic/Kibana 2020. 4. 1. 09:47

kibana docker compose 에서 아래 변수가 어떤 값을 참조 하는지 확인 하시기 바랍니다.

참고 문서)

https://www.elastic.co/guide/en/kibana/current/docker.html

environment:
    ELASTICSEARCH_URL: http://${SERVICE-NAME}:9200
    ELASTICSEARCH_HOSTS: http://${SERVICE-NAME}:9200
또는
    ELASTICSEARCH_URL: http://${CONTAINER-NAME}:9200
    ELASTICSEARCH_HOSTS: http://${CONTAINER-NAME}:9200

단일 노드에 Elasticsearch 와 Kibana 두 개의 컨테이너를 띄울 때 Kibana 에서는 Elasticsearch 의 Service 명 또는 Container 명으로 Elasticsearch 를 찾습니다.

:

[Elastic] 목차 입니다.

Elastic 2019. 11. 5. 14:52

Elastic Stack 의 Reference 목차 입니다.

이걸 왜 한 장으로 정리를 했냐면 목차만 잘 찾아 봐도 해결 방법이 어딨는지 어떤 기능을 제공 하고 있는지 쉽게 알수 있습니다.

(In my case!!)

그래서 혼자 보기 아까워서 그냥 올려봤습니다.

Elastic Stack References)

1. Elasticsearch

2. Logstash

3. Kibana

4. Beats Platform

5. Beats Developer Guide

6. Filebeat

Elasticsearch

Elasticsearch introduction

Data in: documents and indices
Information out: search and analyze
Scalability and resilience

Getting Started with Elasticsearch

Get Elasticsearch up and running
Index some documents
Start searching
Analyze results with aggregations
Where to go from here

Set up Elasticsearch

Installing Elasticsearch

Install Elasticsearch from archive on Linux or MacOS
Install Elasticsearch with .zip on Windows
Install Elasticsearch with Debian Package
Install Elasticsearch with RPM
Install Elasticsearch Windows MSI Installer
Install Elasticsearch with Docker
Install Elasticsearch on macOS with Homebrew

Configuring Elasticsearch

Setting JVM options
Secure settings
Logging configuration
Auditing settings
Cross-cluster replication settings
Transforms settings
Index lifecycle management settings
License settings
Machine learning settings
Security settings
SQL access settings
Watcher settings

Important Elasticsearch configuration

path.data and path.logs
cluster.name
node.name
network.host
Discovery and cluster formation settings
Setting the heap size
JVM heap dump path
GC logging
Temp directory
JVM fatal error logs

Important System Configuration

Configuring system settings
Disable swapping
File Descriptors
Virtual memory
Number of threads
DNS cache settings
JNA temporary directory not mounted with noexec

Bootstrap Checks

Heap size check
File descriptor check
Memory lock check
Maximum number of threads check
Max file size check
Maximum size virtual memory check
Maximum map count check
Client JVM check
Use serial collector check
System call filter check
OnError and OnOutOfMemoryError checks
Early-access check
G1GC check
All permission check
Discovery configuration check

Starting Elasticsearch
Stopping Elasticsearch
Adding nodes to your cluster
Set up X-Pack
Configuring X-Pack Java Clients
Bootstrap Checks for X-Pack

Upgrade Elasticsearch

Rolling upgrades
Full cluster restart upgrade
Reindex before upgrading

Reindex in place
Reindex from a remote cluster

Aggregations

Metrics Aggregations

Avg Aggregation
Weighted Avg Aggregation
Cardinality Aggregation
Extended Stats Aggregation
Geo Bounds Aggregation
Geo Centroid Aggregation
Max Aggregation
Min Aggregation
Percentiles Aggregation
Percentile Ranks Aggregation
Scripted Metric Aggregation
Stats Aggregation
Sum Aggregation
Top Hits Aggregation
Value Count Aggregation
Median Absolute Deviation Aggregation

Bucket Aggregations

Adjacency Matrix Aggregation
Auto-interval Date Histogram Aggregation
Children Aggregation
Composite Aggregation
Date Histogram Aggregation
Date Range Aggregation
Diversified Sampler Aggregation
Filter Aggregation
Filters Aggregation
Geo Distance Aggregation
GeoHash grid Aggregation
GeoTile Grid Aggregation
Global Aggregation
Histogram Aggregation
IP Range Aggregation
Missing Aggregation
Parent Aggregation
Range Aggregation
Rare Terms Aggregation
Reverse nested Aggregation
Sampler Aggregation
Significant Terms Aggregation
Significant Text Aggregation
Terms Aggregation
Subtleties of bucketing range fields

Pipeline Aggregations

Avg Bucket Aggregation
Derivative Aggregation
Max Bucket Aggregation
Min Bucket Aggregation
Sum Bucket Aggregation
Stats Bucket Aggregation
Extended Stats Bucket Aggregation
Percentiles Bucket Aggregation
Moving Average Aggregation
Moving Function Aggregation
Cumulative Sum Aggregation
Cumulative Cardinality Aggregation
Bucket Script Aggregation
Bucket Selector Aggregation
Bucket Sort Aggregation
Serial Differencing Aggregation

Matrix Aggregations

Matrix Stats

Caching heavy aggregations
Returning only aggregations
Aggregation Metadata
Returning the type of the aggregation

Query DSL

Query and filter context
Compound queries

Boolean
Boosting
Constant score
Disjunction score
Function score

Full text queries

Intervals
Match
Match boolean prefix
Match phrase
Match phrase prefix
Multi-match
Common Terms Query
Query String
Simple query string

Geo queries

Geo-bounding box
Geo-distance
Geo-polygon
Geo-shape

Shape queries

Shape

Joining queries

Nested
Has child
Has parent
Parent ID

Match all
Span queries

Span containing
Span field masking
Span first
Span multi-term
Span near
Span not
Span or
Span term
Span within

Specialized queries

Distance feature
More like this
Percolate
Rank feature
Script
Script score
Wrapper
Pinned Query

Term-level queries

Exists
Fuzzy
IDs
Prefix
Range
Regexp
Term
Terms
Terms set
Type Query
Wildcard

minimum_should_match parameter
rewrite parameter
Regular expression syntax

Search across clusters
Scripting

How to use scripts
Accessing document fields and special variables
Scripting and security
Painless scripting language
Lucene expressions language
Advanced scripts using script engines

Mapping

Removal of mapping types
Field datatypes

Alias
Arrays
Binary
Boolean
Date
Date nanoseconds
Dense vector
Flattened
Geo-point
Geo-shape
IP
Join
Keyword
Nested
Numeric
Object
Percolator
Range
Rank feature
Rank features
Search-as-you-type
Sparse vector
Text
Token count
Shape

Meta-Fields

_field_names field
_ignored field
_id field
_index field
_meta field
_routing field
_source field
_type field

Mapping parameters

analyzer
normalizer
boost
coerce
copy_to
doc_values
dynamic
enabled
eager_global_ordinals
fielddata
format
ignore_above
ignore_malformed
index
index_options
index_phrases
index_prefixes
fields
norms
null_value
position_increment_gap
properties
search_analyzer
similarity
store
term_vector

Dynamic Mapping

Dynamic field mapping
Dynamic templates

Analysis

Anatomy of an analyzer
Testing analyzers
Analyzers

Configuring built-in analyzers
Fingerprint Analyzer
Keyword Analyzer
Language Analyzers
Pattern Analyzer
Simple Analyzer
Standard Analyzer
Stop Analyzer
Whitespace Analyzer
Custom Analyzer

Normalizers
Tokenizers

Char Group Tokenizer
Classic Tokenizer
Edge NGram Tokenizer
Keyword Tokenizer
Letter Tokenizer
Lowercase Tokenizer
NGram Tokenizer
Path Hierachy Tokenizer
Pattern Tokenizer
Simple Pattern Tokenizer
Simple Pattern Split Tokenizer
Standard Tokenizer
Thai Tokenizer
UAX URL Email Tokenizer
Whitespace Tokenizer

Token Filters

Apostrophe
ASCII Folding Token Filter
CJK bigram
CJK width
Classic Token Filter
Common Grams Token Filter
Compound Word Token Filters
Conditional Token Filter
Decimal Digit Token Filter
Delimited Payload Token Filter
Edge NGram Token Filter
Elision Token Filter
Fingerprint Token Filter
Flatten Graph Token Filter
Hunspell Token Filter
Keep Types Token Filter
Keep Words Token Filter
Keyword Request Token Filter
KStem Token Filter
Length Token Filter
Limit Token Count Token Filter
Lowercase Token Filter
MinHash Token Filter
Multiplexer Token Filter
NGram Token Filter
Normalization Token Filter
Pattern Capture Token Filter
Pattern Replace Token Filter
Phonetic Token Filter
Porter Stem Token Filter
Predicate Token Filter Script
Remove Duplicates Token Filter
Reverse Token Filter
Shingle Token Filter
Snowball Token Filter
Stemmer Token Filter
Stemmer Override Token Filter
Stop Token Filter
Synonym Token Filter
Synonym Graph Token Filter
Trim Token Filter
Truncate Token Filter
Unique Token Filter
Uppercase Token Filter
Word Delimiter Token Filter
Word Delimiter Graph Token Filter

Character Filters

HTML Strip Char Filter
Mapping Char Filter
Pattern Replace Char Filter

Modules

Discovery and cluster formation

Discovery
Quorum-based decision making
Voting configurations
Bootstrapping a cluster
Adding and removing nodes
Publishing the cluster state
Cluster fault detection
Discovery and cluster formation settings

Shard allocation and cluster-level routing

Cluster level shard allocation
Disk-based shard allocation
Shard allocation awareness
Cluster-level shard allocation filtering
Miscellaneous cluster settings

Local Gateway

Dangling indices

HTTP
Indices

Circuit Breaker
Fielddata
Node Query Cache
Indexing Buffer
Shard request cache
Index recovery
Search Settings

Network Settings
Node
Plugins
Snapshot And Restore
Thread Pool
Transport
Remote clusters

Index modules

Analysis
Index Shard Allocation

Index-level shard allocation filtering
Delaying allocation when a node leaves
Index recovery prioritization
Total shards per node

Mapper
Merge
Similarity module
Slow Log
Store

Preloading data into the file system cache

Translog
History retention
Index Sorting

Use index sorting to speed up conjunctions

Ingest node

Pipeline Definition
Accessing Data in Pipelines
Conditional Execution in Pipelines

Handling Nested Fields in Conditionals
Complex Conditionals
Conditionals with the Pipeline Processor
Conditionals with the Regular Expressions

Handling Failures in Pipelines
Processors

Append Processor
Bytes Processor
Circle Processor
Convert Processor
Date Processor
Date Index Name Processor
Dissect Processor
Dot Expander Processor
Drop Processor
Fail Processor
Foreach Processor
GeoIP Processor
Grok Processor
Gsub Processor
HTML Strip Processor
Join Processor
JSON Processor
KV Processor
Lowercase Processor
Pipeline Processor
Remove Processor
Rename Processor
Script Processor
Set Processor
Set Security User Processor
Split Processor
Sort Processor
Trim Processor
Uppercase Processor
URL Decode Processor
User Agent processor

Managing the index lifecycle

Getting started with index lifecycle management
Policy phases and actions

Timing
Phase Execution
Actions
Full Policy

Set up index lifecycle management policy

Applying a policy to an index template
Apply a policy to a create index request

Using policies to manage index rollover

Skipping Rollover

Update policy

Updates to policies not managing indices
Updates to executing policies
Switching policies for an index

Index lifecycle error handling
Restoring snapshots of managed indices
Start and stop index lifecycle management
Using ILM with existing indices

Managing existing periodic indices with ILM
Reindexing via ILM

Getting started with snapshot lifecycle management

SQL access

Overview
Getting Started with SQL
Conventions and Terminology

Mapping concepts across SQL and Elasticsearch

Security
SQL REST API

Overview
Response Data Formats
Paginating through a large response
Filtering using Elasticsearch query DSL
Columnar results
Supported REST parameters

SQL Translate API
SQL CLI
SQL JDBC

API usage

SQL ODBC

Driver installation
Configuration

SQL Client Applications

DBeaver
DbVisualizer
Microsoft Excel
Microsoft Power BI Desktop
Microsoft PowerShell
MicroStrategy Desktop
Qlik Sense Desktop
SQuirreL SQL
SQL Workbench/J
Tableau Desktop

SQL Language

Lexical Structure
SQL Commands
DESCRIBE TABLE
SELECT
SHOW COLUMNS
SHOW FUNCTIONS
SHOW TABLES
Data Types
Index patterns
Frozen Indices

Functions and Operators

Comparison Operators
Logical Operators
Math Operators
Cast Operators
LIKE and RLIKE Operators
Aggregate Functions
Grouping Functions
Date/Time and Interval Functions and Operators
Full-Text Search Functions
Mathematical Functions
String Functions
Type Conversion Functions
Geo Functions
Conditional Functions And Expressions
System Functions

Reserved keywords
SQL Limitations

Monitor a cluster

Overview
How it works
Monitoring in a production environment
Collecting monitoring data

Pausing data collection

Collecting monitoring data with Metricbeat
Collecting log data with Filebeat
Configuring indices for monitoring
Collectors
Exporters

Local exporters
HTTP exporters

Troubleshooting

Frozen indices

Best practices
Searching a frozen index
Monitoring frozen indices

Roll up or transform your data

Rolling up historical data

Overview
API quick reference
Getting started
Understanding groups
Rollup aggregation limitations
Rollup search limitations

Transforming data

Overview
When to use transforms
How checkpoints work
API quick reference
Tutorial: Transforming the eCommerce sample data
Examples
Troubleshooting
Limitations

Set up a cluster for high availability

Back up a cluster

Back up the data
Back up the cluster configuration
Back up the security configuration
Restore the security configuration
Restore the data

Cross-cluster replication

Overview
Requirements for leader indices
Automatically following indices
Getting started with cross-cluster replication
Remote recovery
Upgrading clusters

Secure a cluster

Overview
Configuring security

Encrypting communications in Elasticsearch
Encrypting communications in an Elasticsearch Docker Container
Enabling cipher suites for stronger encryption
Separating node-to-node and client traffic
Configuring an Active Directory realm
Configuring a file realm
Configuring an LDAP realm
Configuring a native realm
Configuring a PKI realm
Configuring a SAML realm
Configuring a Kerberos realm
Security files
FIPS 140-2

How security works
User authentication

Built-in users
Internal users
Realms
Realm chains
Active Directory user authentication
File-based user authentication
LDAP user authentication
Native user authentication
PKI user authentication
SAML authentication
Kerberos authentication
Integrating with other authentication systems
Enabling anonymous access
Controlling the user cache

Configuring SAML single-sign-on on the Elastic Stack

The identity provider
Configure Elasticsearch for SAML authentication
Generating SP metadata
Configuring role mappings
User metadata
Configuring Kibana
Troubleshooting SAML Realm Configuration

Configuring single sign-on to the Elastic Stack using OpenID Connect

The OpenID Connect Provider
Configure Elasticsearch for OpenID Connect authentication
Configuring role mappings
User metadata
Configuring Kibana
OpenID Connect without Kibana

User authorization

Built-in roles
Defining roles
Security privileges
Document level security
Field level security
Granting privileges for indices and aliases
Mapping users and groups to roles
Setting up field and document level security
Submitting requests on behalf of other users
Configuring authorization delegation
Customizing roles and authorization

Auditing security events

Audit event types
Logfile audit output
Auditing search queries

Encrypting communications

Setting up TLS on a cluster

Restricting connections with IP filtering
Cross cluster search, clients, and integrations

Cross cluster search and security
Java Client and security
HTTP/REST clients and security
ES-Hadoop and Security
Beats and Security
Monitoring and security

Tutorial: Getting started with security

Enable Elasticsearch security features
Create passwords for built-in users
Add the built-in user to Kibana
Configure authentication
Create users
Assign roles
Add user information in Logstash
View system metrics in Kibana

Tutorial: Encrypting communications

Generate certificates
Encrypt internode communications
Add nodes to your cluster

Troubleshooting

Some settings are not returned via the nodes settings API
Authorization exceptions
Users command fails due to extra arguments
Users are frequently locked out of Active Directory
Certificate verification fails for curl on Mac
SSLHandshakeException causes connections to fail
Common SSL/TLS exceptions
Common Kerberos exceptions
Common SAML issues
Internal Server Error in Kibana
Setup-passwords command fails due to connection failure
Failures due to relocation of the configuration files

Limitations

Alerting on cluster and index events

Getting started with Watcher
How Watcher works
Encrypting sensitive data in Watcher
Inputs

Simple input
Search input
HTTP input
Chain input

Triggers

Schedule trigger

Conditions

Always condition
Never condition
Compare condition
Array compare condition
Script condition

Actions

Running an action for each element in an array
Adding conditions to actions
Email action
Webhook action
Index action
Logging Action
Slack Action
PagerDuty action
Jira action

Transforms

Search transform
Script transform
Chain transform

Java API
Managing watches
Example watches

Watching the status of an Elasticsearch cluster
Watching event data

Troubleshooting
Limitations

Command line tools

elasticsearch-certgen
elasticsearch-certutil
elasticsearch-croneval
elasticsearch-migrate
elasticsearch-node
elasticsearch-saml-metadata
elasticsearch-setup-passwords
elasticsearch-shard
elasticsearch-syskeygen
elasticsearch-users

How To

General recommendations
Recipes

Mixing exact search with stemming
Getting consistent scoring
Incorporating static relevance signals into the score

Tune for indexing speed
Tune for search speed

Tune your queries with the Profile API
Faster phrase queries with index_phrases
Faster prefix queries with index_prefixes

Tune for disk usage

Testing

Java Testing Framework

Why randomized testing?
Using the Elasticsearch test classes
Unit tests
Integration tests
Randomized testing
Assertions

Glossary of terms
REST APIs

API conventions

Multiple Indices
Date math support in index names
Common options
URL-based access control

cat APIs

cat aliases
cat allocation
cat count
cat fielddata
cat health
cat indices
cat master
cat nodeattrs
cat nodes
cat pending tasks
cat plugins
cat recovery
cat repositories
cat task management
cat thread pool
cat shards
cat segments
cat snapshots
cat templates

Cluster APIs

Cluster Health
Cluster State
Cluster Stats
Pending cluster tasks
Cluster Reroute
Cluster Update Settings
Cluster Get Settings
Nodes Stats
Nodes Info
Nodes Feature Usage
Remote Cluster Info
Task management
Nodes hot_threads
Cluster Allocation Explain API
Voting Configuration Exclusions

Cross-cluster replication APIs

Get CCR stats
Create follower
Pause follower
Resume follower
Unfollow
Forget follower
Get follower stats
Get follower info
Create auto-follow pattern
Delete auto-follow pattern
Get auto-follow pattern

Document APIs

Reading and Writing documents
Index
Get
Delete
Delete by query
Update
Update By Query API
Multi get
Bulk
Reindex
Term vectors
Multi term vectors
?refresh
Optimistic concurrency control

Explore API
Index APIs

Add index alias
Analyze
Clear cache
Clone index
Close index
Create index
Delete index
Delete index alias
Delete index template
Flush
Force merge
Freeze index
Get field mapping
Get index
Get index alias
Get index settings
Get index template
Get mapping
Index alias exists
Index exists
Index recovery
Index segments
Index shard stores
Index stats
Index template exists
Open index
Put index template
Put mapping
Refresh
Rollover index
Shrink index
Split index
Synced flush
Type exists
Unfreeze index
Update index alias
Update index settings

Index lifecycle management API

Create policy
Get policy
Delete policy
Move to step
Remove policy
Retry policy
Get index lifecycle management status
Explain lifecycle
Start index lifecycle management
Stop index lifecycle management

Ingest APIs

Put pipeline
Get pipeline
Delete pipeline
Simulate pipeline

Info API
Licensing APIs

Delete license
Get license
Get trial status
Start trial
Get basic status
Start basic
Update license

Machine learning anomaly detection APIs

Add events to calendar
Add jobs to calendar
Close jobs
Create jobs
Create calendar
Create datafeeds
Create filter
Delete calendar
Delete datafeeds
Delete events from calendar
Delete filter
Delete forecast
Delete jobs
Delete jobs from calendar
Delete model snapshots
Delete expired data
Find file structure
Flush jobs
Forecast jobs
Get buckets
Get calendars
Get categories
Get datafeeds
Get datafeed statistics
Get influencers
Get jobs
Get job statistics
Get machine learning info
Get model snapshots
Get overall buckets
Get scheduled events
Get filters
Get records
Open jobs
Post data to jobs
Preview datafeeds
Revert model snapshots
Set upgrade mode
Start datafeeds
Stop datafeeds
Update datafeeds
Update filter
Update jobs
Update model snapshots

Machine learning data frame analytics APIs

Create data frame analytics jobs
Delete data frame analytics jobs
Evaluate data frame analytics
Estimate memory usage for data frame analytics jobs
Get data frame analytics jobs
Get data frame analytics jobs stats
Start data frame analytics jobs
Stop data frame analytics jobs

Migration APIs

Deprecation info

Reload search analyzers
Rollup APIs

Create rollup jobs
Delete rollup jobs
Get job
Get rollup caps
Get rollup index caps
Rollup search
Rollup job configuration
Start rollup jobs
Stop rollup jobs

Search APIs

Search
URI Search
Request Body Search
Search Template
Multi Search Template
Search Shards API
Suggesters
Multi Search API
Count API
Validate API
Explain API
Profile API
Field Capabilities API
Ranking Evaluation API

Security APIs

Authenticate
Change passwords
Clear cache
Clear roles cache
Create API keys
Create or update application privileges
Create or update role mappings
Create or update roles
Create or update users
Delegate PKI authentication
Delete application privileges
Delete role mappings
Delete roles
Delete users
Disable users
Enable users
Get API key information
Get application privileges
Get builtin privileges
Get role mappings
Get roles
Get token
Get users
Has privileges
Invalidate API key
Invalidate token
OpenID Connect Prepare Authentication API
OpenID Connect authenticate API
OpenID Connect logout API
SSL certificate

Snapshot lifecycle management API

Put snapshot lifecycle policy
Get snapshot lifecycle policy
Execute snapshot lifecycle policy
Delete snapshot lifecycle policy

Transform APIs

Create transforms
Update transforms
Delete transforms
Get transforms
Get transform statistics
Preview transforms
Start transforms
Stop transforms

Watcher APIs

Ack watch
Activate watch
Deactivate watch
Delete watch
Execute watch
Get watch
Get Watcher stats
Put watch
Start watch service
Stop watch service

Definitions

Datafeed resources
Data frame analytics job resources
Data frame analytics evaluation resources
Job resources
Job statistics
Model snapshot resources
Role mapping resources
Results resources
Transform resources

Logstash

Logstash Introduction
Getting Started with Logstash

Installing Logstash
Stashing Your First Event
Parsing Logs with Logstash
Stitching Together Multiple Input and Output Plugins

How Logstash Works

Execution Model

Setting Up and Running Logstash

Logstash Directory Layout
Logstash Configuration Files
logstash.yml
Secrets keystore for secure settings
Running Logstash from the Command Line
Running Logstash as a Service on Debian or RPM
Running Logstash on Docker
Configuring Logstash for Docker
Running Logstash on Windows
Logging
Shutting Down Logstash
Setting Up X-Pack

Upgrading Logstash

Upgrading Using Package Managers
Upgrading Using a Direct Download
Upgrading between minor versions
Upgrading Logstash to 7.0
Upgrading with the Persistent Queue Enabled

Configuring Logstash

Structure of a Config File
Accessing Event Data and Fields in the Configuration
Using Environment Variables in the Configuration
Logstash Configuration Examples
Multiple Pipelines
Pipeline-to-Pipeline Communication
Reloading the Config File
Managing Multiline Events
Glob Pattern Support
Converting Ingest Node Pipelines
Logstash-to-Logstash Communication
Centralized Pipeline Management
X-Pack security
X-Pack Settings

Managing Logstash

Centralized Pipeline Management

Working with Logstash Modules

Using Elastic Cloud
ArcSight Module
Netflow Module (deprecated)
Azure Module

Working with Filebeat Modules

Use ingest pipelines for parsing
Use Logstash pipelines for parsing
Example: Set up Filebeat modules to work with Kafka and Logstash

Data Resiliency

Persistent Queues
Dead Letter Queues

Transforming Data

Performing Core Operations
Deserializing Data
Extracting Fields and Wrangling Data
Enriching Data with Lookups

Deploying and Scaling Logstash
Performance Tuning

Performance Troubleshooting Guide
Tuning and Profiling Logstash Performance

Monitoring Logstash with APIs

Node Info API
Plugins Info API
Node Stats API
Hot Threads API

Monitoring Logstash with X-Pack

Metricbeat collection
Internal collection
Monitoring UI
Pipeline Viewer UI
Troubleshooting

Working with plugins

Generating Plugins
Offline Plugin Management
Private Gem Repositories
Event API

Input plugins

azure_event_hubs
beats
cloudwatch
couchdb_changes
dead_letter_queue
elasticsearch
exec
file
ganglia
gelf
generator
github
google_cloud_storage
google_pubsub
graphite
heartbeat
http
http_poller
imap
irc
java_generator
java_stdin
jdbc
jms
jmx
kafka
kinesis
log4j
lumberjack
meetup
pipe
puppet_facter
rabbitmq
redis
relp
rss
s3
salesforce
snmp
snmptrap
sqlite
sqs
stdin
stomp
syslog
tcp
twitter
udp
unix
varnishlog
websocket
wmi
xmpp

Output plugins

boundary
circonus
cloudwatch
csv
datadog
datadog_metrics
elastic_app_search
elasticsearch
email
exec
file
ganglia
gelf
google_bigquery
google_cloud_storage
google_pubsub
graphite
graphtastic
http
influxdb
irc
java_sink
java_stdout
juggernaut
kafka
librato
loggly
lumberjack
metriccatcher
mongodb
nagios
nagios_nsca
opentsdb
pagerduty
pipe
rabbitmq
redis
redmine
riak
riemann
s3
sns
solr_http
sqs
statsd
stdout
stomp
syslog
tcp
timber
udp
webhdfs
websocket
xmpp
zabbix

Filter plugins

aggregate
alter
bytes
cidr
cipher
clone
csv
date
de_dot
dissect
dns
drop
elapsed
elasticsearch
environment
extractnumbers
fingerprint
geoip
grok
http
i18n
java_uuid
jdbc_static
jdbc_streaming
json
json_encode
kv
memcached
metricize
metrics
mutate
prune
range
ruby
sleep
split
syslog_pri
threats_classifier
throttle
tld
translate
truncate
urldecode
useragent
uuid
xml

Codec plugins

avro
cef
cloudfront
cloudtrail
collectd
dots
edn
edn_lines
es_bulk
fluent
graphite
gzip_lines
jdots
java_line
java_plain
json
json_lines
line
msgpack
multiline
netflow
nmap
plain
protobuf
rubydebug

Tips and Best Practices
Troubleshooting Common Problems
Contributing to Logstash

How to write a Logstash input plugin
How to write a Logstash codec plugin
How to write a Logstash filter plugin
How to write a Logstash output plugin
Documenting your plugin
Contributing a Patch to a Logstash Plugin
Logstash Plugins Community Maintainer Guide
Submitting your plugin to RubyGems.org and the logstash-plugins repository

Contributing a Java Plugin

How to write a Java input plugin
How to write a Java codec plugin
How to write a Java filter plugin
How to write a Java output plugin

Glossary of Terms

Kibana

Introduction
Set Up Kibana

Installing Kibana
Install Kibana with .tar.gz
Install Kibana with Debian Package
Install Kibana with RPM
Install Kibana on Windows
Install Kibana on macOS with Homebrew

Starting and stopping Kibana
Configuring Kibana

APM settings
Code settings
Development tools settings
Graph settings
Infrastructure UI settings
i18n settings in Kibana
Logs UI settings
Machine learning settings
Monitoring settings
Reporting settings
Secure settings
Security settings
Spaces settings

Running Kibana on Docker
Accessing Kibana
Connect Kibana with Elasticsearch
Using Kibana in a production environment
Upgrading Kibana

Standard upgrade
Troubleshooting saved object migrations

Configuring monitoring

Collecting monitoring data
Collecting monitoring data with Metricbeat
Viewing monitoring data

Configuring security

Authentication
Encrypting communications
Audit Logging

Getting Started

Add sample data
Explore Kibana using sample data
Build your own dashboard

Define your index patterns
Discover your data
Visualize your data
Add visualizations to a dashboard

Discover

Setting the time filter
Searching your data

Kibana Query Language
Lucene query syntax
Saving searches
Saving queries
Change the indices you’re searching
Refresh the search results

Filtering by Field
Viewing Document Data
Viewing Document Context
Viewing Field Data Statistics

Visualize

Creating a Visualization
Saving Visualizations
Using rolled up data in a visualization
Line, Area, and Bar charts
Controls Visualization

Adding Input Controls
Global Options

Data Table
Markdown Widget
Metric
Goal and Gauge
Pie Charts
Coordinate Maps
Region Maps
Timelion
TSVB
Tag Clouds
Heatmap Chart
Vega Graphs

Getting Started with Vega
Vega vs Vega-Lite
Querying Elasticsearch
Elastic Map Files
Vega with a Map
Debugging
Useful Links

Inspecting Visualizations

Dashboard

Create a dashboard
Dashboard-only mode

Canvas

Canvas tutorial
Create a workpad
Showcase your data with elements
Present your workpad
Share your workpad
Canvas function reference

TinyMath functions

Extend your use case

Graph data connections

Using Graph
Configuring Graph
Troubleshooting
Limitations

Machine learning

Elastic Maps

Getting started with Elastic Maps

Creating a new map
Adding a choropleth layer
Adding layers for Elasticsearch data
Saving the map
Adding the map to a dashboard

Heat map layer
Tile layer
Vector layer

Vector styling
Vector style properties
Vector tooltips

Plot big data without plotting too much data

Grid aggregation
Most recent entities
Point to point
Term join

Searching your data

Creating filters from your map
Filtering a single layer
Searching across multiple indices

Connecting to Elastic Maps Service
Upload GeoJSON data
Indexing GeoJSON data tutorial
Elastic Maps troubleshooting

Code

Import your first repo
Repo management
Install language server
Basic navigation
Semantic code navigation
Search
Config for multiple Kibana instances

Infrastructure

Getting started with infrastructure monitoring
Using the Infrastructure app
Viewing infrastructure metrics
Metrics Explorer

Logs

Getting started with logs monitoring
Using the Logs app
Configuring the Logs data

APM

Getting Started
Visualizing Application Bottlenecks
Using APM

Filters
Services overview
Traces overview
Transaction overview
Span timeline
Errors overview
Metrics overview
Machine Learning integration
APM Agent configuration
Advanced queries

Uptime

Overview
Monitor

SIEM

Using the SIEM UI
Anomaly Detection with Machine Learning

Dev Tools

Console
Profiling queries and aggregations

Getting Started
Profiling a more complicated query
Rendering pre-captured profiler JSON

Debugging grok expressions

Stack Monitoring

Beats Metrics
Cluster Alerts
Elasticsearch Metrics
Kibana Metrics
Logstash Metrics
Troubleshooting

Management

License Management
Index patterns

Cross-cluster search

Rollup jobs
Index lifecycle policies

Creating an index lifecycle policy
Managing index lifecycle policies
Adding a policy to an index
Example of using an index lifecycle policy

Managing Fields

String Field Formatters
Date Field Formatters
Geographic Point Field Formatters
Numeric Field Formatters
Scripted Fields

Index management
Setting advanced options
Saved objects
Managing Beats
Working with remote clusters
Snapshot and Restore
Spaces
Security

Granting access to Kibana
Kibana role management
Kibana privileges

Watcher
Upgrade Assistant

Reporting from Kibana

Automating report generation
PDF layout modes
Reporting configuration

Reporting and security
Secure the reporting endpoints
Chromium sandbox

Troubleshooting
Reporting integration

REST API

Features API

Get features

Kibana Spaces APIs

Create space
Update space
Get space
Get all spaces
Delete space
Copy saved objects to space
Resolve copy to space conflicts

Kibana role management APIs

Create or update role
Get specific role
Get all roles
Delete role

Saved objects APIs

Get object
Bulk get objects
Find objects
Create object
Bulk create objects
Update object
Delete object
Export objects
Import objects
Resolve import errors

Dashboard import and export APIs

Import dashboard
Dashboard export

Logstash configuration management APIs

Create pipeline
Retrieve pipeline
Delete pipeline
List pipeline

URL shortening API

Shorten URL

Upgrade assistant APIs

Upgrade readiness status
Start or resume reindex
Check reindex status
Cancel reindex

Kibana plugins

Install plugins
Update and remove plugins
Disable plugins
Configure the plugin manager
Known Plugins

Limitations

Nested Objects
Exporting data

Developer guide

Core Development

Considerations for basePath
Managing Dependencies
Modules and Autoloading
Communicating with Elasticsearch
Unit Testing
Functional Testing

Plugin Development

Plugin Resources
UI Exports
Plugin feature registration
Functional Tests for Plugins
Localization for plugins

Developing Visualizations

Embedding Visualizations
Developing Visualizations
Visualization Factory
Visualization Editors
Visualization Request Handlers
Visualization Response Handlers
Vis object
AggConfig object

Add Data Guide
Security

Role-based access control

Pull request review guidelines
Interpreting CI Failures

Beats Platform

Community Beats
Getting started with Beats
Config file format

Namespacing
Config file data types
Environment variables
Reference variables
Config file ownership and permissions
Command line arguments
YAML tips and gotchas

Upgrading

Upgrade between minor versions
Upgrade from 6.x to 7.x
Troubleshooting Beats upgrade issues

Beats Developer Guide

Contributing to Beats
Community Beats
Creating a New Beat

Getting Ready
Overview
Generating Your Beat
Fetching Dependencies and Setting up the Beat
Building and Running the Beat
The Beater Interface
Sharing Your Beat with the Community
Naming Conventions

Creating New Kibana Dashboards

Importing Existing Beat Dashboards
Building Your Own Beat Dashboards
Generating the Beat Index Pattern
Exporting New and Modified Beat Dashboards
Archiving Your Beat Dashboards
Sharing Your Beat Dashboards

Adding a New Protocol to Packetbeat

Getting Ready
Protocol Modules
Testing

Extending Metricbeat

Overview
Creating a Metricset
Metricset Details
Creating a Metricbeat Module
Creating a Beat based on Metricbeat
Metricbeat Developer FAQ

Creating a New Filebeat Module
Migrating dashboards from Kibana 5.x to 6.x

Filebeat

Overview
Getting Started With Filebeat

Step 1: Install Filebeat
Step 2: Configure Filebeat
Step 3: Load the index template in Elasticsearch
Step 4: Set up the Kibana dashboards
Step 5: Start Filebeat
Step 6: View the sample Kibana dashboards
Quick start: modules for common log formats
Repositories for APT and YUM

Setting up and running Filebeat

Directory layout
Secrets keystore
Command reference
Running Filebeat on Docker
Running Filebeat on Kubernetes
Filebeat and systemd
Stopping Filebeat

Upgrading Filebeat
How Filebeat works
Configuring Filebeat

Specify which modules to run
Configure inputs
Manage multiline messages
Specify general settings
Load external configuration files
Configure the internal queue
Configure the output
Configure index lifecycle management
Load balance the output hosts
Specify SSL settings
Filter and enhance the exported data
Parse data by using ingest node
Enrich events with geoIP information
Configure project paths
Configure the Kibana endpoint
Load the Kibana dashboards
Load the Elasticsearch index template
Configure logging
Use environment variables in the configuration
Autodiscover
YAML tips and gotchas
Regular expression support
HTTP Endpoint
filebeat.reference.yml

Beats central management

How central management works
Enroll Beats in central management

Modules

Modules overview
Apache module
Auditd module
AWS module
CEF module
Cisco module
Coredns Module
Elasticsearch module
Envoyproxy Module
Google Cloud module
haproxy module
IBM MQ module
Icinga module
IIS module
Iptables module
Kafka module
Kibana module
Logstash module
MongoDB module
MSSQL module
MySQL module
nats module
NetFlow module
Nginx module
Osquery module
Palo Alto Networks module
PostgreSQL module
RabbitMQ module
Redis module
Santa module
Suricata module
System module
Traefik module
Zeek (Bro) Module

Exported fields

Apache fields
Auditd fields
AWS fields
Beat fields
Decode CEF processor fields fields
CEF fields
Cisco fields
Cloud provider metadata fields
Coredns fields
Docker fields
ECS fields
elasticsearch fields
Envoyproxy fields
Google Cloud fields
haproxy fields
Host fields
ibmmq fields
Icinga fields
IIS fields
iptables fields
Jolokia Discovery autodiscover provider fields
Kafka fields
kibana fields
Kubernetes fields
Log file content fields
logstash fields
mongodb fields
mssql fields
MySQL fields
nats fields
NetFlow fields
NetFlow fields
Nginx fields
Osquery fields
panw fields
PostgreSQL fields
Process fields
RabbitMQ fields
Redis fields
s3 fields
Google Santa fields
Suricata fields
System fields
Traefik fields
Zeek fields

Monitoring Filebeat

Internal collection

Settings for internal monitoring collection

Metricbeat collection

Securing Filebeat

Secure communication with Elasticsearch
Secure communication with Logstash
Use X-Pack security

Grant users access to secured resources
Configure authentication credentials
Configure Filebeat to use encrypted connections

Use Linux Secure Computing Mode (seccomp)

Troubleshooting

Get help
Debug
Common problems

Can’t read log files from network volumes
Filebeat isn’t collecting lines from a file
Too many open file handlers
Registry file is too large
Inode reuse causes Filebeat to skip lines
Log rotation results in lost or duplicate events
Open file handlers cause issues with Windows file rotation
Filebeat is using too much CPU
Dashboard in Kibana is breaking up data fields incorrectly
Fields are not indexed or usable in Kibana visualizations
Filebeat isn’t shipping the last line of a file
Filebeat keeps open file handlers of deleted files for a long time
Filebeat uses too much bandwidth
Error loading config file
Found unexpected or unknown characters
Logstash connection doesn’t work
@metadata is missing in Logstash
Not sure whether to use Logstash or Beats
SSL client fails to connect to Logstash
Monitoring UI shows fewer Beats than expected

A. Contributing to Beats

:

[Kibana] visualize 에서 scripted field 사용하기

Elastic/Kibana 2019. 4. 25. 14:14

예전에는 이 기능이 없어서 code 로 되어 있던 field 에 대해서 가독성 확보가 어려웠는데요.

나온지 한 참 되었는데 혹시 필요 하신 분들이 있을 수도 있어서 기록해 봅니다.

사실은 제가 기억력이 좋지 않아서 복습 차원에 정리 해 보는 내용입니다.

공식 문서)

https://www.elastic.co/guide/en/kibana/current/scripted-fields.html

Scripted Fields | Kibana User Guide [7.0] | Elastic

Use of Groovy, JavaScript, and Python scripting is deprecated starting in Elasticsearch 5.0, and support for those scripting languages will be removed in the future.

www.elastic.co

보통 visualize 에서도 "Advanced" 클릭 하시면 JSON Input 영역에 필요한 script 를 넣을 수 있습니다.

Terms aggregation 을 기본 예로 들면,

{
  "aggs": {
    "1": {
      "terms": {
        "field": "user",
        "size": 100000,
        "order": {
          "_count": "desc"
        }
      }
...중략...
}

Kibana 에서 이 정도 작성이 가능 합니다.

여기서 "min_doc_count" 같은 값을 설정 하고 싶을 경우 위에 이야기한 "Advanced" 를 클릭해서 값을 넣으시면 아래와 같이 등록이 됩니다.

Advacned JSON Input)

{
  "min_doc_count":3
}

최종 Request string)

{
  "aggs": {
    "1": {
      "terms": {
        "field": "user",
        "size": 100000,
        "order": {
          "_count": "desc"
        },
        "min_doc_count":3
      }
...중략...
}

그럼 scripted field 추가를 해보겠습니다.

공식 문서에 자세히 나와 있기 때문에 별도 화면 캡쳐 등의 설명은 하지 않겠습니다.

내용만 발췌 합니다.

Creating a Scripted Field

To create a scripted field:

Go to Management > Kibana > Index Patterns
Select the index pattern you want to add a scripted field to.
Go to the pattern’s Scripted fields tab.
Click Add scripted field.
Enter a name for the scripted field.
Enter the expression that you want to use to compute a value on the fly from your index data.
Click Create field.

이렇게 생성 완료 후 Visualize 에서 Terms aggs 작성 하시면서 Field 쪽에 작성 하신 scripted field 를 넣어 주시면 됩니다.

단, 생성할 때 선택한 index 로 visualize 를 만드셔야지 scripted field 가 노출 됩니다.

아래는 제가 사용한 scripted field 정보 입니다.

Name : code_ko
Lang : painless
Script :
if (doc['code'].value == '1') { '카테고리1' } 
else if (doc['code'].value == '2') {'카테고리2'} 
else if (doc['code'].value == '3') {'카테고리3'} 
else if (doc['code'].value == '4') {'카테고리4'} 
else if (doc['code'].value == '5') {'카테고리5'} 
else if (doc['code'].value == '6') {'카테고리6'} 
else if (doc['code'].value == '7') {'카테고리7'} 
else if (doc['code'].value == '8') {'카테고리8'} 
else if (doc['code'].value == '9') {'카테고리9'} 
else if (doc['code'].value == '10') {'카테고리10'} 
else if (doc['code'].value == '11') {'카테고리11'} 
else if (doc['code'].value == '12') {'카테고리12'}

- pseudocode 로 변경해서 기록 했습니다.

:

[Kibana] start and stop 스크립트

Elastic/Kibana 2018. 7. 5. 09:52

Kibana 실행 스크립트.

$ bin/kibana 귀찮아서 그냥 es 에서 쓰던거 복붙.

[start.sh]

#!/bin/bash

DIR_NAME=`dirname "$0"`

DIR_HOME=`cd $DIR_NAME; cd ..; pwd`

$DIR_HOME/bin/kibana> /dev/null 2>&1 & KIBANA_PID=$!

echo $KIBANA_PID > $DIR_HOME/bin/kibana.pid

[stop.sh]

#!/bin/bash

DIR_NAME=`dirname "$0"`

DIR_HOME=`cd $DIR_NAME; cd ..; pwd`

KIBANA_PID=`cat $DIR_HOME/bin/kibana.pid`

kill -9 $KIBANA_PID

echo "Kibana Daemon($KIBANA_PID) is killed"

rm -f $DIR_HOME/bin/kibana.pid

저작자표시 비영리 변경금지

:

jjeong

'kibana'에 해당되는 글 33건