Elastic Stack & Icinga 2 - types of integration

twidhalm · January 8, 2019, 11:00am

I thought I might give you an overview about what sort of integration of the Elastic Stack and Icinga 2 is possible for now.

Please feel free to add information I missed or which has changed since. Since this is a Wiki, you can edit this post or reply as you see fit.

Warning Be very carful about not creating loops. Having Logstash trigger Notifications in Icinga 2 which will post to Logstash that an Notification was sent might have you ending up with a dead system in a very short time.

Icinga 2 Logs into Elastic Stack

Collect Icinga 2 Logs with Filebeat
Connect Icingabeat to the API of your Icinga 2 Master
Some specialised beats can give you even more insight like Metricbeat or Mysqlbeat

Be aware of some open issues in Icingabeat. Depending on the size of your setup you might not be able to use all options in the configuration.

Logstash Events into Icinga 2

Install the logstash-output-icinga and connect it to the API of you Icinga 2 master
Use the logstash-output-nagios to write into the command pipe of Icinga 2.

You will want to use the Icinga output and connect it to the API, because:

It’s more stable and has a bigger focus in development
It supports higher workloads
It can work with multiple hosts as receivers

Within your Logstash configuration you can use the mutate filter to add tags for Events that should be sent to Icinga 2
Use the following code fragment to only send tagged events to Icinga 2
Make sure that the host object and the service object you are sending events for have exactly the same name in Icinga as they have in the event. (case sensitive!)
This will send passive checks to the core. You can use the passive CheckCommand from the ITL with that.

Here is the Logstash-configuration to check for a tag.

output {
  if "to_icinga" in [tags] {
    icinga {
      ...
    }
  }
}

Elastic Stack and Icinga Web 2

https://github.com/Icinga/icingaweb2-module-elasticsearch

This module will intergrate the result of Elasticsearch Queries into Icinga Web 2. With being a bit cautious about your naming conventions or using your Logstash configuration to clean up the object names you can create matches between Logevents and Objects in Icinga.