🔔
KibanaのAlertingをローカルで試してみた
はじめに
docker-composeで起動すると「Additional setup required. You must enable API keys and configure an encryption key to use Alerting.」と表示されてアラートが使えなかったので調べました。
起動
以下の4ファイルを新規フォルダに作成します。
.env
# Version of Elastic products
STACK_VERSION=7.17.6
# Port to expose Kibana to the host
KIBANA_PORT=5601
# Password for our 'elastic' user
ELASTIC_PASSWORD=elastic
# Choose language of Kibana
I18N_LOCALE=en-US
#I18N_LOCALE=ja-JP
KIBANA_PASSWORD=JijS4UDvnv8s5DrrZkQDesym
ENCRYPTIONKEY=a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d
ES_PORT=9200
LICENSE=trial
docker-compose.yml
version: "3.8"
services:
setup:
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
user: "0"
command: >
bash -c '
if [ ! -f config/certs/ca.zip ]; then
echo "Creating CA";
bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
unzip config/certs/ca.zip -d config/certs;
fi;
if [ ! -f config/certs/certs.zip ]; then
echo "Creating certs";
echo -ne \
"instances:\n"\
" - name: esnode1\n"\
" dns:\n"\
" - esnode1\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
" - name: filebeat\n"\
" dns:\n"\
" - esnode1\n"\
" - localhost\n"\
" ip:\n"\
" - 127.0.0.1\n"\
> config/certs/instances.yml;
bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
unzip config/certs/certs.zip -d config/certs;
fi;
echo "Setting file permissions"
chown -R root:root config/certs;
find . -type d -exec chmod 750 \{\} \;;
find . -type f -exec chmod 640 \{\} \;;
echo "Waiting for Elasticsearch availability";
until curl -s --cacert config/certs/ca/ca.crt https://esnode1:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
echo "Setting kibana_system password";
until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://esnode1:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
echo "Good to go!";
'
esnode1:
depends_on:
- setup
image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
volumes:
- certs:/usr/share/elasticsearch/config/certs
- esnode1-data:/usr/share/elasticsearch/data
ports:
- ${ES_PORT}:9200
environment:
- node.name=esnode1
- ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=certs/esnode1/esnode1.key
- xpack.security.http.ssl.certificate=certs/esnode1/esnode1.crt
- xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.http.ssl.verification_mode=certificate
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.key=certs/esnode1/esnode1.key
- xpack.security.transport.ssl.certificate=certs/esnode1/esnode1.crt
- xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.license.self_generated.type=${LICENSE}
ulimits:
memlock:
soft: -1
hard: -1
kibana:
depends_on:
- esnode1
image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
volumes:
- certs:/usr/share/kibana/config/certs
- kibana-data:/usr/share/kibana/data
ports:
- ${KIBANA_PORT}:5601
environment:
- SERVERNAME=kibana
- ELASTICSEARCH_HOSTS=https://esnode1:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
- XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=${ENCRYPTIONKEY}
- I18N_LOCALE=${I18N_LOCALE}
filebeat:
depends_on:
- esnode1
image: docker.elastic.co/beats/filebeat:${STACK_VERSION}
command: -strict.perms=false
volumes:
- ./filebeat.yml:/usr/share/filebeat/filebeat.yml
- ./test.log:/var/log/app_logs/test.log
- certs:/usr/share/filebeat/config/certs
environment:
- ELASTICSEARCH_HOSTS=https://esnode1:9200
- ELASTICSEARCH_USERNAME=elastic
- ELASTICSEARCH_PASSWORD=${ELASTIC_PASSWORD}
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
volumes:
certs:
driver: local
esnode1-data:
driver: local
kibana-data:
driver: local
filebeat.yml
filebeat.inputs:
- type: filestream
id: my-application-logs
enabled: true
paths:
- /var/log/app_logs/*.log
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'
ssl:
certificate_authorities: "/usr/share/filebeat/config/certs/ca/ca.crt"
certificate: "/usr/share/filebeat/config/certs/filebeat/filebeat.crt"
key: "/usr/share/filebeat/config/certs/filebeat/filebeat.key"
test.log
This is log message
作成したフォルダに移動して以下のコマンドを実行します。
# 起動
$ docker-compose up -d
# Good to go!が表示されるまで待つ
$ docker-compose logs -f setup
Attaching to test1_setup_1
setup_1 | Setting file permissions
setup_1 | Waiting for Elasticsearch availability
setup_1 | Setting kibana_system password
setup_1 | Good to go!
test1_setup_1 exited with code 0
- Username: elastic
- Password: elastic
テスト
test.logにログを書き込むとfilebeatが拾って、Analytics>DiscoverやObservability>Logsでログを確認できます。
ログが見れない場合は、docker-compose logs -f filebeatでエラーが出ていないか確認してください。
終了
docker-compose down --volumesで終了します。
次にまた使いたい場合は、--volumesは不要です。
おわりに
アラートが使えなかった原因は、最近のElasticStackだとSSL証明書の設定がないと使えない機能があるからのようでした。
あとObservability>Logsは@timestampがないデータは見れないようで、用意されてるサンプルデータが使えなかったのでFilebeatを入れたりしました。
始めはdocker-compose upするだけだろう!と高を括っていたので、思ったより大変でした…
参考サイト
- https://levelup.gitconnected.com/elasticsearch-kibana-security-authentication-and-network-encryption-enabled-with-docker-e6747a989766
- https://stackoverflow.com/questions/67777260/unable-configure-alerts-and-actions-in-kibana
- https://gigi.nullneuron.net/gigilabs/filebeat-elasticsearch-and-kibana-with-docker-compose/
Discussion