Versions Compared

Old Version 33

changes.mady.by.user Technische Redaktion

Saved on

compared with

New Version Current

changes.mady.by.user Technische Redaktion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide describes how to install the yuuvis® RAD metrics-manager.

...

  • core-service
    • Navigate to the logging configuration of the REST-WS gui page at http://<gateway>/rest-ws/#PAGE:monitor/logging

    • Set the logger "com.os.ecm.ws.metrics" to the log level "TRACE".
      Make sure that "use parent handler" is not checked.

    • The change takes immediate effect.
  • service-manager
    • Edit the file <service-manager>\config\application-prod.yml
    • Set the parameter "monitoring.trace.enabled" to true
    • Save the file and restart the service-manager

...

Elastalert2 (optional)

If you chose to use elastalert2 Elastalert2 to receive e-mail/Teams notifications about critical and error situations, these are the predefined rules that trigger an alert :

...

  • For Kibana a SSL/TLS certifcate in .cer / .crt and .key format is required. Place these two files in the <mertrics-manager>\config folder
  • Open the <metrics-manager>\config\kibana.yml file for editing 
    • Uncomment the following three lines and replace certificate.cer and certificate.key with the file names of your certificate files
      server.ssl.enabled: true
      server.ssl.certificate: ../../../config/certificate.cer
      server.ssl.key: ../../../config/certificate.key

    • Find the below lines and replace the hostname with the exact hostname defined in the certificate
      server.host: "metrics.optimal-systems.de"
      server.name: "metrics.optimal-systems.de"

    • Find the below line and change the protocol from http to https:
      server.publicBaseUrl: "https://metrics.optimal-systems.de:5601"

      (warning) Note: Do the following only if you're also enabling HTTPS for elasticsearch:

    • Find the below line and change the protocol from http to https:
      elasticsearch.hosts: ["https://metrics.optimal-systems.de:5200"]

    • Find the below line and uncomment it. If the used certificate is self-signed, set the value to none, otherwise leave it at full
      elasticsearch.ssl.verificationMode: none
  • Save the file and restart Kibana. It is now accessible via https://metrics.optimal-systems.de:5601.

Elasticsearch

To enable HTTPS in elasticsearch, a certificate in .p12 format (the same as for the gateway microservice) can be used. If Elasticsearch is set to HTTPS communication, the configuration of Kibana and Logstash needs to be changed so that https is used for communication with Elasticsearch. This can be done by following the below steps:

  • Elasticsearch
  • Place the certificate file in the <metrics-manager>\config\elasticsearch folder.
  • Edit the <metrics-manager>\config\elasticsearch\elasticsearch.yml file.
    • Add the following lines at the end of the file. Replace certificate.p12 with the filename of your certificate and 'password' with the password for your certificate
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.verification_mode: certificate
    xpack.security.http.ssl.keystore.path: certificate.p12
    xpack.security.http.ssl.keystore.password: password
    Save the file and restart Elasticsearch. It is now available at https://<certificate-hostname>:5200
    Kibana 
  • If not already configured in the above steps (Kibana), follow these steps to use https communication with Elasticsearch.
    • Find the below line and change the protocol from http to https:
    elasticsearch.hosts: ["https://<certificate-hostname>:5200"]
    Find the below line and uncomment it. If the used certificate is self-signed, set the value to none, otherwise leave it at full
    elasticsearch.ssl.verificationMode: none
    Logstash
  • Edit the <metrics-manager>\config\logstash\logstash.conf file.
    • Find the following lines and change the url from http://<ip>:5200 to For ElastAlert2 to generate links to the new HTTPS address, edit the <metrics-manager>\config\elastalert\elastalert.yaml file and set the URL of the kibana_discover_app_url: parameter to a) use HTTPS and b) use the hostname defined in the certificate instead of an IP address.


  • If you already have a certificate in .p12 format (for example for the gateway microservice) then you can generate the .cer and .key certificate files using the Keystore Explorer tool by the following steps:
    • Open the .p12 certificate in the Keystore Explorer.
    • Right click on the certificate and choose Export → Export certificate chain. This will create the .cer file
    • Right click on the certificate and choose Export → Export private key. Choose PKCS #8 as the format. In the following dialog uncheck encryption. This will generate the .key file.
    • These files can also be use for Logstash (see below).

Elasticsearch

To enable HTTPS in elasticsearch, a certificate in .p12 format (the same as for the gateway microservice) can be used. If Elasticsearch is set to HTTPS communication, the configuration of Kibana, Logstash and ElastAlert2 needs to be changed so that https is used for communication with Elasticsearch. This can be done by following the below steps:

  • Elasticsearch
    • Place the certificate file in the <metrics-manager>\config\elasticsearch folder.
    • Edit the <metrics-manager>\config\elasticsearch\elasticsearch.yml file.
    • Add the following lines at the end of the file. Replace certificate.p12 with the filename of your certificate and 'password' with the password for your certificate
      xpack.security.http.ssl.enabled: true
      xpack.security.http.ssl.verification_mode: certificate
      xpack.security.http.ssl.keystore.path: certificate.p12
      xpack.security.http.ssl.keystore.password: password

    • Save the file and restart Elasticsearch. It is now available at https://<certificate-hostname>:5200
      output {
          elasticsearch {
              hosts =>
  • Kibana 
    For Logstash a SSL/TLS certifcate in .cer / .crt and .key format is required. The .key file needs to be in unencrypted PKCS8 format. Place these two files in the <mertrics
    • If not already configured in the above steps (Kibana), follow these steps to use https communication with Elasticsearch.
    • Find the below line and change the protocol from http to https:
      elasticsearch.hosts: ["https://metrics.optimal-systems.de<certificate-hostname>:5200"]

Logstash


    • Find the below line and uncomment it. If the used certificate is self-signed, set the value to none, otherwise leave it at full
      elasticsearch.ssl.verificationMode: none

  • Logstash
    • Edit the file <metrics-manager>\config\logstash
    folder
    • \logstash.conf.

    Open the <metrics-manager>\config\logstash\logstash.conf file and expand the input section to look like below:

    Code Block
    languagejava
    input {
    • Find the following lines and change the url from http://<ip>:5200 to https://<certificate-hostname>:5200
      output {
          elasticsearch {
              hosts => ["https://metrics.optimal-systems.de:5200"]

  • ElastAlert2
    • Edit the file <metrics-manager>\config\elastalert\elastalert.yaml
    • Uncomment the line 'use_ssl: True'
    • Uncomment the line 'verify_certs: True' and set the value to 'False'

Logstash

  • For Logstash a SSL/TLS certifcate in .cer / .crt and .key format is required. The .key file needs to be in unencrypted PKCS8 format. Place these two files in the <mertrics-manager>\config\logstash folder.

  • Open the file <metrics-manager>\config\logstash\logstash.conf and expand the input section to look like below:

    Code Block
    languagejava
    input {
  # input from filebeat
  beats {
    # the port to listen on
    port => 5044
    ssl => true
    ssl_certificate => "D:\yuuvis\metrics-manager\config\logstash\certificate.cer"
    ssl_key => "D:\yuuvis\metrics-manager\config\logstash\certificate.key"
    ssl_verify_certificatemode => "D:\yuuvis\metrics-manager\config\logstash\certificate.cer"
    ssl_key => "D:\yuuvis\metrics-managernone"
  }
}

    Replace the certificate.cer and certificate.key file names with the actual names of the certificate files. If the certificate is self-signed use ssl_verify_mode with value none (as shown above). Else, use force_peer as value. Only absolute paths are valid.


Filebeat

  • Open the file <metrics-manager>\config\logstash\certificate.key" ssl_verify_mode => "none" } }Replace the certificate.cer and certificate.key file names with the actual names of the certificate files. If the certificate is self-signed use ssl_verify_mode with value none (as shown above). Else, use force_peer as value. Only absolute paths are valid.filebeat.yml file and find the section 'output.logstash'
  • change the hosts parameter to contain the hostname of the certificate instead of an IP.
    output.logstash:
    # The Logstash hosts
    hosts: ["schmittberger.optimal-systems.de:5044"]

  • Add the following two lines right below the hosts parameter (if you have a self-signed certificate use the verification_mode 'none like below else use 'full'):
    ssl.enabled: true
    ssl.verification_mode: none