ElasticLog

Elasticsearch is an ELK stack-based distributed, RESTful search and analytics engine used for all types of data. Integration with Elastic log monitoring uses Webhooks to identify data changes and to monitor alerts.

After successfully integrating with the Webhooks call-back mechanism, ElasticLog alerts can be viewed in the system. The inbound integration configuration can be used to view ElasticLog monitoring events as system events.

The current ElasticLog version supported for integration is 7.6.1.

OpsRamp configuration

Step 1: Install integration

1. From All Clients, select a client.
2. Go to Setup > Account.
3. Select the Integrations and Apps tab.
4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
6. Search for the application using the search option available. Alternatively, use the All Categories option to search.
7. Click ADD on the ElasticLog tile.

Inbound (Optional):

To configure the inbound, follow these steps:
Authentication:

1. Select the Authentication Type as Webhook.

   • Webhook: By default, Webhook is selected as the Authentication Type.
     Make a note of Tenant ID, Token and Webhook URL.
     These details are used while creating an HTTP Request template during ElasticLog configuration.

2. Map Attributes: Map OpsRamp entity attributes with ElasticLog attributes.

   1. Click +Add from the Map Attributes section.

   2. From the Add Map Attributes window, enter the below information:

      • OpsRamp Entity: Select Alert from the dropdown.
      • OpsRamp Property: Select the OpsRamp property from the dropdown.
      • ElasticLog Entity: Enter the ElasticLog entity value in the box and click the +value from the dropdown to add it. You can add multiple values.
      • ElasticLog Property: Enter the ElasticLog property.
        

      Parsing Condition:

      1. Click +Add and provide the parsing condition:
      2. Select an operator from the dropdown and enter a value in the fields accordingly. Based on the operator selected, the fields vary.
      3. Click Save. Click +Add to add more conditions.
         

      Property Values:

      1. Click +Property Value.
      2. Enter a value in the ElasticLog Property Value box and select the appropriate value from the OpsRamp Property Value dropdown.
         The options in the OpsRamp Property Value dropdown appear based on the OpsRamp Property selected.
      3. Click Save.
      • Click +Property Value to add more property values.
        

      Default Value: Alternatively, you can enter/select a default value in the box.
      

      Note: To map more attributes, click +Entity.

   3. Click Add Map Attributes. The mapped attributes list is added.

      • Click the three dots icon at the end of each row to edit or remove the map attributes.
      • Use the Filter option to filter the map attributes.
        
        

3. Additional Settings: Select the Drop alerts from unmanaged resources checkbox if you do not want to trigger alerts from unmanaged resources.

4. Enrich and Create Alert: Select a process definition from the dropdown. You can customize the incoming alerts according to the properties defined in the process definition.

5. Click Finish.

Default attribute mappings are:

• Attributes can be modified.
• Mappings are user-selectable and depend on the environment.

ElasticLog configuration

Step 1: Configure Watcher

1. From the ElasticLog console, select Kibana.
2. Select Management > Elasticsearch > Watcher.
3. Click Create to establish a new threshold alert.

Contact support to use the Advanced option instead of Threshold.

Step 2: Create threshold alert

To create an alert and verify if the sample request is received, do the following:

1. From Watcher, select Create and click Create threshold alert.

2. Enter the following details:

   • Name: Unique name of the alert.
   • Indices to query: Select the corresponding module from the drop-down menu.
     For example, metricbeat-*.
   • Time field: Select the appropriate field from the drop-down menu.
   • Run watch every: Specify when to run the watch from the drop-down menu.
     For example, run watch for every 1 minute.
   • From Match the Condition, identify a condition from the corresponding fields and values from the drop-down menu by editing the sample query condition.
     For example, the figure represents the top five carriers whose average ticket price is above 100 for the last few days.
     

     

3. Click Add Action, select Webhook from the displayed options, and modify the Webhook details:

   • Method: POST
   • Scheme: https
   • Host: HostName
   • Port: 443
   • Path: Path information in the URL
   • Ex URL: https://example.opsramp.com/integrations/alertsWebhook/{tennant Id}/alerts?vtoken=ddwoe3579393829
   • Host: example.opsramp.com
   • Path: /integrations/alertsWebhook/{tennant Id}/alerts/ddwoe3579393829
   • Body:

     { 
       "Subject": "Watch [{{http://ctx.metadata.name}}] has exceeded the threshold",
       "Description": "Watch [{{http://ctx.metadata.name}}]
       has exceeded the threshold value of {{ctx.metadata.watcherui.threshold}} on {{ctx.metadata.watcherui.index}}",
       "State":"CRITICAL",
       "Alert_Id":"{{http://ctx.id}}",
       "Trigger_Time":"{{ctx.trigger}}",
       "Xpack_Alert":"{{ctx.metadata.xpack.type}}",
       "Indices":"{{ctx.metadata.watcherui.index}}",
       "Time_Field":"{{ctx.metadata.watcherui.time_field}}",
       "Metric":"{{http://ctx.metadata.name}}",
       "Payload":"{{ctx}}"
     }

4. Click Create Alert.

5. Click Send Request to verify if the sample request is received.

6. To verify, click Show Request.

Example payload

This is a sample ElasticLog payload that is validated:

{
  "Subject": "Watch [Metric_Test] has exceeded the threshold",
  "Description": "Watch [Metric_Test] has exceeded the threshold value of 15 on {0=metricbeat-*} ",
  "State": "CRITICAL",
  "Alert_Id": "_inlined__349ec1fc-49a8-4c20-a85b-d4385167dbb1-2020-03-31T11:40:07.651439Z",
  "Trigger_Time": "{triggered_time=2020-03-31T11:40:07.651394Z, scheduled_time=2020-03-31T11:40:07.651394Z}",
  "Xpack_Alert": "threshold",
  "Indices": "{0=metricbeat-*}",
  "Time_Field": "@timestamp",
  "Metric": "Metric_Test",
  "Payload": "{metadata={name=Metric_Test,
    watcherui={trigger_interval_unit=m,
    agg_type=count,
    time_field=@timestamp,
    trigger_interval_size=1,
    term_size=5,
    time_window_unit=m,
    threshold_comparator=>,
    index=[metricbeat-*],
    time_window_size=1,
    threshold=15}, xpack={type=threshold}},
  watch_id=_inlined_,
  payload={result=125},
  id=_inlined__349ec1fc-49a8-4c20-a85b-d4385167dbb1-2020-03-31T11:40:07.651439Z,
  trigger={triggered_time=2020-03-31T11:40:07.651394Z, scheduled_time=2020-03-31T11:40:07.651394Z},
  vars={},
    execution_time=2020-03-31T11:40:07.651439Z}"
}

Viewing alerts

1. Select the Workspace drop-down option and go to Alerts.
2. Search for ElasticLog as the source name to view alerts.
3. Click an alert ID.