🔔

KibanaのAlertingをローカルで試してみた

2022/12/22に公開約6,700字

はじめに

docker-composeで起動すると「Additional setup required. You must enable API keys and configure an encryption key to use Alerting.」と表示されてアラートが使えなかったので調べました。

起動

以下の4ファイルを新規フォルダに作成します。

.env
# Version of Elastic products
STACK_VERSION=7.17.6
# Port to expose Kibana to the host
KIBANA_PORT=5601
# Password for our 'elastic' user
ELASTIC_PASSWORD=elastic
# Choose language of Kibana
I18N_LOCALE=en-US
#I18N_LOCALE=ja-JP

KIBANA_PASSWORD=JijS4UDvnv8s5DrrZkQDesym
ENCRYPTIONKEY=a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d
ES_PORT=9200
LICENSE=trial
docker-compose.yml
version: "3.8"

services:
  setup:
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
    user: "0"
    command: >
      bash -c '
        if [ ! -f config/certs/ca.zip ]; then
          echo "Creating CA";
          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
          unzip config/certs/ca.zip -d config/certs;
        fi;
        if [ ! -f config/certs/certs.zip ]; then
          echo "Creating certs";
          echo -ne \
          "instances:\n"\
          "  - name: esnode1\n"\
          "    dns:\n"\
          "      - esnode1\n"\
          "      - localhost\n"\
          "    ip:\n"\
          "      - 127.0.0.1\n"\
          "  - name: filebeat\n"\
          "    dns:\n"\
          "      - esnode1\n"\
          "      - localhost\n"\
          "    ip:\n"\
          "      - 127.0.0.1\n"\
          > config/certs/instances.yml;
          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
          unzip config/certs/certs.zip -d config/certs;
        fi;
        echo "Setting file permissions"
        chown -R root:root config/certs;
        find . -type d -exec chmod 750 \{\} \;;
        find . -type f -exec chmod 640 \{\} \;;
        echo "Waiting for Elasticsearch availability";
        until curl -s --cacert config/certs/ca/ca.crt https://esnode1:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
        echo "Setting kibana_system password";
        until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://esnode1:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
        echo "Good to go!";
      '
  esnode1:
    depends_on:
      - setup
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    volumes:
      - certs:/usr/share/elasticsearch/config/certs
      - esnode1-data:/usr/share/elasticsearch/data
    ports:
      - ${ES_PORT}:9200
    environment:
      - node.name=esnode1
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
      - bootstrap.memory_lock=true
      - discovery.type=single-node
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/esnode1/esnode1.key
      - xpack.security.http.ssl.certificate=certs/esnode1/esnode1.crt
      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.http.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.key=certs/esnode1/esnode1.key
      - xpack.security.transport.ssl.certificate=certs/esnode1/esnode1.crt
      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=${LICENSE}
    ulimits:
      memlock:
        soft: -1
        hard: -1

  kibana:
    depends_on:
      - esnode1
    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
    volumes:
      - certs:/usr/share/kibana/config/certs
      - kibana-data:/usr/share/kibana/data
    ports:
      - ${KIBANA_PORT}:5601
    environment:
      - SERVERNAME=kibana
      - ELASTICSEARCH_HOSTS=https://esnode1:9200
      - ELASTICSEARCH_USERNAME=kibana_system
      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
      - XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=${ENCRYPTIONKEY}
      - I18N_LOCALE=${I18N_LOCALE}

  filebeat:
    depends_on:
      - esnode1
    image: docker.elastic.co/beats/filebeat:${STACK_VERSION}
    command: -strict.perms=false
    volumes:
      - ./filebeat.yml:/usr/share/filebeat/filebeat.yml
      - ./test.log:/var/log/app_logs/test.log
      - certs:/usr/share/filebeat/config/certs
    environment:
      - ELASTICSEARCH_HOSTS=https://esnode1:9200
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt

volumes:
  certs:
    driver: local
  esnode1-data:
    driver: local
  kibana-data:
    driver: local
filebeat.yml
filebeat.inputs:
- type: filestream
  id: my-application-logs
  enabled: true
  paths:
    - /var/log/app_logs/*.log
output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
  username: '${ELASTICSEARCH_USERNAME:}'
  password: '${ELASTICSEARCH_PASSWORD:}'
  ssl:
    certificate_authorities: "/usr/share/filebeat/config/certs/ca/ca.crt"
    certificate: "/usr/share/filebeat/config/certs/filebeat/filebeat.crt"
    key: "/usr/share/filebeat/config/certs/filebeat/filebeat.key"
test.log
This is log message

作成したフォルダに移動して以下のコマンドを実行します。

# 起動
$ docker-compose up -d
 
# Good to go!が表示されるまで待つ
$ docker-compose logs -f setup
Attaching to test1_setup_1
setup_1    | Setting file permissions
setup_1    | Waiting for Elasticsearch availability
setup_1    | Setting kibana_system password
setup_1    | Good to go!
test1_setup_1 exited with code 0

http://localhost:5601 を開く

  • Username: elastic
  • Password: elastic

テスト

test.logにログを書き込むとfilebeatが拾って、Analytics>DiscoverやObservability>Logsでログを確認できます。
ログが見れない場合は、docker-compose logs -f filebeatでエラーが出ていないか確認してください。

終了

docker-compose down --volumesで終了します。
次にまた使いたい場合は、--volumesは不要です。

おわりに

アラートが使えなかった原因は、最近のElasticStackだとSSL証明書の設定がないと使えない機能があるからのようでした。
あとObservability>Logsは@timestampがないデータは見れないようで、用意されてるサンプルデータが使えなかったのでFilebeatを入れたりしました。
始めはdocker-compose upするだけだろう!と高を括っていたので、思ったより大変でした…

参考サイト

Discussion

ログインするとコメントできます