Integration with Logstash and Elasticsearch¶
DPBuddy allows you to collect and analyze DataPower logs and various metrics and statuses (e.g., memory, CPU, objects up/down) using the popular open-source Elasticsearch/Logstash/Kibana (ELK) stack.
To enable log collection, DPBuddy provides plugins for Logstash.
DPBuddy supports the syslog format as well as SOAP/XML supported by DataPower. You can use the “push” approach by creating log target in DataPower pointing to the machine running Logstash with the syslog or HTTP listeners (configured as Logstash input plugins). Alternatively, you can periodically “pull” log files from DataPower using dpdownload plugin, in which case no special DataPower configuration is required.
DPBuddy also comes with a number of predefined queries for Kibana to make it easier to analyze DataPower logs and metrics. You can also easily create your own queries and dashboards using powerful Kibana visualization capabilities.
Before you can start analyzing your logs in ELK, you need to install the plugins provided by DPBuddy.
DPBuddy’s Logstash Plugins Installation¶
DPBuddy plugins are regular Logstash plugins, thus you can use all the plugin management commands that come with Logstash.
Use logstash-plugin install Logstash command to install DPBuddy plugins.
Before installing DPBuddy plugins, you will need to add MyArch plugin repository to Logstash.
To enable this repository, modify the file “Gemfile” located in the root of your Logstash installation (e.g., “/opt/logstash-5.2.0/Gemfile”). Usually, this file defines only the default rubygems repository at the top:
source "https://rubygems.org"
Insert the following line right after the line above:
source "http://nexus.myarch.com/repository/rubygems/"
Now you can run logstash-plugin install
command to install a plugin, e.g.:
bin/logstash-plugin install logstash-filter-datapowerlog
Elasticsearch/Kibana Setup¶
We recommend saving DataPower logs into its own set of indexes to distinguish from other data that can be stored in Elasticsearch.
Logstash will create the Elasticsearch index automatically when you start sending data to Elasticsearch. It will also rotate indexes based on the template provided to the index setting of the “elasticsearch” plugin.
We recommend creating an index template for indexes that will be used for DataPower logs and metrics as following:
PUT _index_template/dp-log
{
"index_patterns": ["dp-log*"],
"template": {
"mappings": {
"properties": {
"tech": {
"type": "text",
"index": false
},
"event_type": {
"type": "text",
"index": false
},
"host": {
"type": "text",
"index": false
},
"node": {
"type": "text",
"index": false
},
"type": {
"type": "text"
}
}
}
}
}
Hint
You can run all Elasticsearch APIs from the Dev tools console in Kibana.
To start viewing data in Kibana, go to “Management/Index Patterns”, add and select the index “dp*”. You can then go back to “Discover” in Kibana and start viewing your logs and metrics.
You can easily create custom queries in Kibana using its intuitive UI.
You can also download and import our pre-canned DataPower-related searches from MyArch website. Once you downloaded the JSON file with the queries, import it into your Kibana instance from the “Management/Kibana/Saved Objects” screen. You can then modify these searches as needed.
Logstash DataPower Log Plugin¶
DPBuddy provides a Logstash filter plugin that parses DataPower log records and generates JSON for consumption in Elasiticsearch or any other log management tool supported by Logstash via one of its output plugins.
The filter plugin supports DataPower syslog and SOAP/XML log formats.
The plugin extracts all the key data elements from DataPower log entries, including DataPower object/class, domain, transaction ID, global transaction ID (gtid), DataPower host name, level, category and others. These data elements are available in Elasticsearch/Kibana as fields that can be searched on or used in visualizations.
Normally, these fields are embedded in syslog messages using DataPower-proprietary format, so the plugin saves you a lot of time by not having to parse the syslog messages using regexps or a similar labor-intensive approach.
An output of the plugin may look like the following in JSON format:
{
"@timestamp": "2017-07-05T18:21:25.754Z",
"appName": "app-services",
"category": "xmlfirewall",
"client_host": "172.16.253.1",
"dp": {
"class": "xmlfirewall",
"domain": "e2e-test",
"object": "testFirewall"
},
"environment": "dev",
"event_type": "LOG_ENTRY",
"global_tran_id": 89024,
"host": "172.16.253.15",
"level": "info",
"message": "rule (testFirewall_request): selected via match 'testFirewall' from processing policy 'testFirewall'",
"message_id": "0x80e000b4",
"src_log_format": "syslog",
"tags": [
"datapower",
"datapower_log"
],
"tech": "DataPower",
"tran_id": 89024,
"tran_type": "request",
"type": "dp.log"
}
The plugin integrates with the dpbuddy config file (dpbuddy.conf). It reads DataPower environment/device configuration from that file and it can optionally add some information from the environment definition (e.g., an environment name or other metadata) as fields to the Elasticsearch events. This allows you to tag log entries with the information about the DataPower, domains or services the logs originated from.
The plugin supports the following log message formats, the format can be provided using the “format” setting of the plugin:
syslog. Requires using Logstash syslog input and the syslog log target type on DataPower.
xml. Requires using Logstash http input and the SOAP log target type on DataPower. The target format must be set to “XML” and the timestamp format must be set to “syslog”.
file. Requires using Logstash file input and the “file” target type on DataPower. The log format must be “syslog” and the timestamp format must be set to “zulu”. Log files could be mounted on a shared NFS filesystem or you can use dpdownload plugin to periodically download log files from DataPower.
auto. DPBuddy will automatically determine the format of a log message based on the metadata generated by Logstash.
Hint
For syslog and xml formats, the machine running Logstash must be visible to DataPower and its ports must be open so that DataPower can send traffic to it.
You also need to ensure accurate clock setting/NTP in all DataPower devices.
To start using the plugin, create appropriate log targets (unless you want to use “dpdownload” plugin, see below) in DataPower and then install the plugin in Logstash:
bin/logstash-plugin install logstash-filter-datapowerlog
Next, create a Logstash pipeline that includes a DataPower input (syslog or http or file), the DataPower log filter and an output (e.g., Elasticsearch).
Here is an example of the syslog pipeline:
input {
# Input to handle syslog log target on DataPower. Define the target and point it to the the Logstash server. This input handles both UDP and TCP syslog
syslog {
port => 5514
tags => [datapower, datapower_log]
}
}
filter {
if "datapower_log" in [tags] {
# DataPower Log plugin provided by DPBuddy. The plugin will convert syslog messages coming from DataPower to proper JSON
datapowerlog {
conf_file => "${LS_DP_PLUGIN_HOME}/../conf/dpbuddy.conf"
}
}
}
output {
# You can dump the output to the console for testing purposes
stdout {
codec => json_lines
}
# Save the output of the filter plugin in Elasticsearch
if "datapower_log" in [tags] {
elasticsearch {
# Name of the index to store DataPower logs
# Use patterns so that the new index is created daily
index => "dp-log-%{+YYYY.MM.dd}"
# Update these values to specify where Elasticsearch instances are located
hosts => ["127.0.0.1:9200","127.0.0.2:9200"]
}
}
}
SOAP/XML/HTTP pipeline can be defined in a similar way (only the input and the filter are shown):
input {
# Input to handle HTTP/SOAP log messages (point the DataPower log target to <logstash host>:6080)
http {
port => 6080
tags => [datapower, datapower_log]
}
}
filter {
if "datapower_log" in [tags] {
# DataPower Log plugin provided by DPBuddy. The plugin will convert SOAP/XML coming from DataPower to proper JSON
datapowerlog {}
}
}
The DataPower log plugin creates a number of fields, including log category, log level, transaction id, DataPower domain, DataPower object class/name. It also correctly sets the “@timestamp” field based on the content of a SOAP message or a log file.
You can run your pipeline as usual:
bin/logstash -f syslog-dp-input.conf
Plugin Configuration Options¶
Name |
Description |
Required |
---|---|---|
add_tag |
If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. You must provide tags in the array format, e.g., |
No |
conf_file |
Path to the dpbuddy config file (dpbuddy.conf). The plugin will find a matching entry in dpbuddy.conf and use “environment” property of that entry as the value for the “env” field. Additionally, all fields with the key “analyticsInfo” will be copied into the Elasticsearch event. The plugin uses the value of the “host” field to search for an environment definition in dpbuddy.conf. The host must match either “dpUrl” or “host” in the environment. |
No |
format |
“auto”, “syslog”, “xml” or “file”. Defaults to |
No |
infer_host_domain |
This setting applies to the “file” format. “dpdownload” plugin can automatically create directory structure in the format host/domain. The logs will be stored under the appropriate domain. If “infer_host_domain” is set to |
No |
preserve_fields |
If set to Defaults to |
No |
When dealing with the syslog format and when the log target is defined at a domain level, the plugin allows for using the “Local identifier” field in DataPower to specify the host alias and the domain in the format “hostalias–domainname”. Note the use of two dashes as the separator.
For example, when encountering the identifier “dp7-qa–e2e-test”, DPBuddy will add “dp7-qa” to the array of aliases and it will use “e2e-test” as the domain name.
Note that the “Local identifier” field must not contain underscores.
Below is an example of using dpbuddy.conf for providing additional metadata for log entries (when “conf_file” is set):
// dev environment
dev: {
dpUrl: dev-dp
// this value will be used in the "env" field of the log entry
environment: "dp-dev"
dpDomain: default
// host can be used for matching the host from the log entry if it is different from dpUri
host: "172.16.253.15"
// we can add any fields to the log entry, e.g., the appName
analyticsInfo: {appName: fin-services}
}
Logstash DataPower File Download Plugin¶
DPBuddy provides a Logstash input plugin that periodically downloads log files from DataPower using the DPBuddy’s download command. The plugin downloads files only if they’re changed on DataPower. The plugin should be used in conjunction with the Logstash file plugin. The file plugin detects changes in the downloaded files (including log rotation) and “tails” them. It creates events containing unparsed message and other fields. DataPower log plugin will then parse the message field and create DataPower-specific fields, such as DataPower object’s class/name.
To install the plugin (make sure that MyArch plugin repository was added to Logstash before running this command):
bin/logstash-plugin install logstash-filter-dpdownload
Then create your pipeline, e.g.:
input {
dpdownload {
interval => 60
device => "dp1,dp2"
conf_file => "./conf/dpbuddy.conf"
# Download default log files, including rotated files, excluding XML logs
# We recommend creating custom file target instead of directly using the default log
include => "logtemp:/default-log(\..*|$)"
# save to dplogs, append the host name
to_dir => "/var/dplogs"
}
file {
# read all updated files in the dplogs__<host name> directory, the path must be absolute
path => "/var/dplogs*/*"
start_position => beginning
tags => [datapower, datapower_log]
}
}
filter {
# Parse log messages, create DataPower-specific fields
datapowerlog {}
}
Plugin Configuration Options¶
Most of the configuration options of the plugin are the same with the download command. To be consistent with other Logstash plugins, the underscore naming convention is used for option names.
Name |
Description |
Required |
---|---|---|
conf_file |
Path to the DPBuddy configuration file. The “device” option must point to environment names from that file. |
Yes |
create_host_dir |
If set to |
No |
device |
Environment (device) name from the DPBuddy configuration file. The device definition includes DataPower host or url, username/password. You can provide multiple environments/devices separated by comma. In this case, the plugin will be downloading files from each of the devices. |
Yes |
domain |
DataPower domain to download the logs from. Defaults to |
No |
download_if_changed |
If set to Defaults to |
No |
include |
Regular expression pattern defining what files to download. The match is done against the entire path of a file, including the filesystem (e.g., |
Yes |
interval |
Interval to run the the download command. Value is in seconds. The interval should be determined based on the volume of messages in your log files Defaults to 120 seconds. |
No |
to_dir |
Local directory where to save files. |
Yes |
You can use “dpdownload” plugin to download default logs. Use the following pattern to achieve that:
include => "logtemp:/default-log(\..*|$)"
Custom log files (created using custom log targets) can be downloaded as following:
include => "logstore:/e2e-test/.*log"
Saving DPBuddy Audit Log in Elasticsearch¶
DPBuddy generates detailed audit log in JSON format. It can be beneficial to save this log in Elasticsearch, this can greatly facilitate troubleshooting or any kind of log analysis.
This can be done using Logstash by creating a very simple pipeline with the “file” input. You can also make it part of your main pipeline dealing with DataPower logs:
input {
# Input to handle syslog log target on DataPower. Define the target and point it to the the Logstash server. This input handles both UDP and TCP syslog
syslog {
port => 5514
tags => [datapower, datapower_log]
}
# Pick up DPBuddy audit log too
file {
path => "/Users/aananiev/.dpbuddy/log/dpbuddy-audit.log"
start_position => beginning
codec => json
tags => [datapower, datapower_audit]
}
}
filter {
if "datapower_log" in [tags] {
# DataPower Log plugin provided by DPBuddy. The plugin will convert syslog events coming from DataPower to proper JSON
datapowerlog {
conf_file => "${LS_DP_PLUGIN_HOME}/../conf/dpbuddy.conf"
}
}
}
output {
# You can dump the output to the console for testing purposes
stdout {
codec => json_lines
}
# Save the output of the filter plugin in Elasticsearch
if "datapower_log" in [tags] {
elasticsearch {
# What index do we want to use to store the data?
# Use patterns so that the new index is created daily
index => "dp-log-%{+YYYY.MM.dd}"
# Update to specify where Elasticsearch is located
hosts => ["127.0.0.1:9200","127.0.0.2:9200"]
}
}
# save audit file in a different index
if "datapower_audit" in [tags] {
elasticsearch {
# What index do we want to use to store the data?
# Use patterns so that the new index is created daily
index => "dp-audit-%{+YYYY.MM.dd}"
# Update to specify where Elasticsearch is located
hosts => ["127.0.0.1:9200","127.0.0.2:9200"]
}
}
}
Another option could be to use the filebeat shipper instead of Logstash.