Module Elasticsearch


(David Okon) #1

About

This Module for Icinga Web 2 integrates your Elastic stack into Icinga Web 2. Based on [Elasticsearch] instances and event types you configure, the module allows you to display data collected by Beats , Logstash and any other source. After you’ve installed and configured the module, you can browse events via the host action.


Installation

The Module can be found here

How to install the module can be found here


Additional Info

Documentation on how to configure the module can be found here


To Do’s

We would appreciate if the community would share their experience with this module in :open_book: written or visual :video_camera: form as an screencast.


(Tomasz Szkudlarek) #2

I’m trying to get this module running atm for some tests on single pc.
So, i was able to install elasticseach on icinga, winlogbeat on a windows machine.
Invoking some test rest queries on elasticsearch shows me some data (winglobeat by default is configured to gather at least application, system and security logs) - there are events.

Module seems to be working - it does not show any connection issues, log seems to be fine now (previously i had some issues with connectivity).

The problem, i have troubles configuring event type i think.
So:
Event Type Name is unimportant - it’s just a name to show?
Instance is choosen.
Index=winlogbeat-* (should be fine, as i checked via api all entries begins with winlogbeat-datetime)
Filter= as i understand filters role is mainly to read logs from specific host instead of all of them?
But, using asterix (Filter=*) should get me everything?
What should i use here in the future if i use always FQDNs in icigna (co icinga host is always = Computer in eventlog)
Fields - at least eventid should get me something?
Fields=eventid ?

I’m trying then to get something via Icinga web interface, but it shows me “no events found”. :frowning:
This is my current test configuration:
grafik


(Thomas Widhalm) #3

Just a tip for debugging: Add Kibana to your setup and you’ll see exactly how your events look like and if there are any fields missing or wrongly-named.


(Tomasz Szkudlarek) #4

Thank you!
It helped to solve my problems.
Looks like i have to use:
computer_name={host.name}
to compare FQDNs
and in my example event_id.


(Tomasz Szkudlarek) #5

Just if someone finds this usefull, i ended up with the following filters:
(computer_name={host.name}&log_name=Application)&(level=Fehler|level=Warnung)
for application logs (level error & warning - german systems)
and
(computer_name={host.name}&log_name=System)&(level=Fehler|level=Warnung)
for system logs