guardian / elk-stack Goto Github PK

ELK Stack ... based on Elastic Stack 5.x

License: Apache License 2.0

JavaScript 87.10% Shell 12.90%

elasticsearch logstash kibana google-oauth elk

elk-stack's Introduction

ELK Stack with Google OAuth

ELK stands for Elasticsearch, Logstash and Kibana. It is being promoted by Elasticsearch as a "devops" logging solution.

This implemenation of an ELK stack is designed to run in AWS EC2 VPC and is secured using Google OAuth 2.0. It consists of one or more instances behind an Elastic Load Balancer (ELB) running the following components:

Kibana 5.x
Elasticsearch 5.x
Logstash 5.x indexer
Node.js application proxy

Security

Only the Logstash indexer and the application proxy ports are exposed on the ELB and all requests to the application proxy for Kibana or Elasticsearch are authenticated using Google OAuth.

Elasticsearch is configured to listen only on the local loopback address. Dynamic scripting has been disabled to address security concerns with remote code execution since elasticsearch version 1.4.3.

Healthcheck

The ELB requires a healthcheck to ensure instances in the load balancer are healthy. To achieve this, access to the root URL for Elasticsearch is available at the path /__es and it is not authenticated.

Log Shippers

via TCP

Shipping logs to the ELK stack via tcp is left as an exercise for the user however example configurations are included in the repo under the /examples directory. TBC

A very simple one that reads from stdin and tails a log file then echoes to stdout and forwards to the ELK stack is below:

$ logstash --debug -e '
input { stdin { } file { path => "/var/log/system.log" } }
output { stdout { } tcp { host => "INSERT-ELB-DNS-NAME-HERE" port => 6379 codec => json_lines } }'

via a Kinesis Stream

Logstash is also setup to ingest logs via a Kinesis Stream using the logstash-input-kinesis plugin. You can find the Kinesis stream information in the Cloudformation stack output. The expected input codec is json.

VPC Configuration

This ELK stack assumes your AWS VPC is configured as per AWS guidelines which is to have a public and private subnet in each availability zone for the region. See Your VPC and Subnets guide for more information.

The easiest way to ensure you have the required VPC setup would be to delete your existing VPC, if possible, and then use the Start VPC Wizard which will create a correctly configured VPC for you.

Installation

Go to Google Developer Console and create a new client ID for a web application

You can leave the URLs as they are and update them once the ELK stack has been created. Take note of the Client ID and Client Secret as you will need them in the next step.
Enable the "Google+ API" for your new client. This is the only Google API needed.
Launch the ELK stack using the AWS console or aws command-line tool and enter the required parameters. Note that some parameters, like providing a Route53 Hosted Zone Name to create a DNS alias for the public ELB, are optional.
Once the ELK stack has launched revisit the Google developer console and update the URLs copying the output for GoogleOAuthRedirectURL to AUTHORIZED REDIRECT URI and the same URL but without to path to AUTHORISED JAVASCRIPT ORIGINS.

Plugins

The following elasticsearch plugins are installed:

X-Pack - Elastic extension that bundles security, alerting, monitoring, reporting, and graph.
EC2 Discovery - uses AWS API for the unicast discovery mechanism.
S3 Repository - adds support for using S3 as a repository for Snapshot.

Configuration

This ELK stack cloudformation template takes many parameters, explainations for each are shown when launching the stack. Note that Route 53 DNS, EBS volumes and S3 snapshots are optional.

Logstash grok patterns can be tested online at https://grokdebug.herokuapp.com/

The Kibana dashboards are configured via the GUI.

License

Guardian ELK Stack Cloudformation Templates and Logcabin Proxy
Copyright 2014-2016 Guardian News & Media

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

elk-stack's People

Contributors

Stargazers

Watchers

Forkers

davidfurey mikegoldsmith wdtmatt toh2526 potter0815 mattfield tspacek inthecloud247 lu-chi hedinfaok ajohnstone dfuentes77 shapingcloud avescodes woakes070048 prashanthrajagopal my-janala dpcollins wolfeidau waysofeating cbmccoy lovemondays optionalg hkhalidz tbonnin nehazit dpdesi syash eugenestarchenko zakswindow toadkicker markslalom prateeknayak systemx-solutions dbgdngit pioneerit pkumaschow athiwatp rtbhosale mshivaramie22 hyoseong-lee affinity226 cherweg aseburuth mnescot ozkologlu partnercloudsupport tjfamodu shaykeren fijimunkii ramvittal laidig thilinaherath jfreedman ssullivan malli1983 jbaisani viniciuscps jmeadnz sergeyradov yukuansong cloud-land vino-bala nirvananimbusa nguyenhoang2009 0ccupi3r iq-scm

elk-stack's Issues

Variables are not set to /opt/logcabin/config.js

Hi, do you know why it can happen?
After stack set up I see variables with @@ in /opt/logcabin/config.js.

Instance is up and responds on KibanaURL, but it sends @@LOGCABIN_HOST to google as callback url.

Backup using S3 snapshots

Dashboards should be backed up to S3 using regular snapshots of the kibana-int index.

See http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-snapshots.html

Remove Google Auth

I would like to explore a version without google oauth. Perhaps a branch that allows only local access?

AWS::IAM::Policy - ElkS3Policy At least one of [Groups,Roles,Users] must be non-empty.

    10:34:42 UTC+0100   CREATE_FAILED   AWS::IAM::Policy    ElkS3Policy At least one of [Groups,Roles,Users] must be non-empty.

Add some examples

There should be some useful examples as starting points for logstash configs.

Add support for new instance types

New instance types (eg. t2, m3, c3) are only supported on hvm AMI's so we need to switch from paravirtual if we want to support them.

Kibana 4 support?

What is the status of Kibana 4 support? I'm happy to submit a PR for this...

See a branch for kibana4-beta3,

eu-west-2 AMI ID?

Hi,

What would be the ami id used for eu-west-2?

Thanks,
Arun

Special characters in CookieSecret parameter can break user data script

Using sed to substitute the supplied parameters into the logcabin config file will fail if certain special characters are passed in as part of the CookieSecret. eg. a bracket (

Blank Page After Deployment

Hi,

First of all thanks for this project and you contribution.

the problem

I've been trying to work with it but i've encountered a problem in deployment.
The stack is deployed but I get blank Page when accessing the KibanaURL (plain, with port 8080 and with /__es? path).

the environment

These are my subnets configurations:

Name | subnet id | AZ | default | auto assign public ip | ipv6
Cloud C | 172.31.16.0/20 | eu-west-1c | Yes | Yes | No
Cloud B | 172.31.0.0/20 | eu-west-1b | Yes | Yes | No
Cloud A | 172.31.32.0/20 | eu-west-1a | Yes | Yes | No

The the stack configuration I've mentiond all 3 subnets under private and public subnets.

The private load balancer is getting *InService * status
The public load balancer is getting OutOfService status

Attempts for resolution

I've tried to config the subnets differently without success
I've tried adding 3 more subnets for only private mode
I've tried to use .json file from kibana4.4 branch
I've tried to modify the yaml to explicitly mention the AZ

Related issues

#47
#25

Any help or guidance will be amazing
Thanks

Make assigning a Kibana alias a configurable option

Not everyone uses Route53 so make assigning an alias for Kibana to the ELB a config option.

Use hapi to implement the authentication proxy

Hi I recently got my hands on kibana 5. Want to put front end authentication with the help of node.js and SQL. But I am unable to understand where should I start developing the authentication part?

Kibana uses hapi11 to serve its pages. You could create a Kibana plugin that utilizes hapi's request/response lifecycle hooks to build an authentication plugin for Kibana. You can learn more about creating Kibana plugins here: https://github.com/elastic/kibana/wiki/Plugin-Resources28

https://discuss.elastic.co/t/kibana-5-front-end-authentication/52024

See http://hapijs.com/

Launch issue

Hi!
Still have problem deploying this...
Created VPC with 1x private, 1x public subnets, 1 gateway. added subnets for each AZ (2 in my case).
Set up parameters, deployment succeeded. Still getting white screen, error 503. Port 80 seem to be open.
Also LB displays that healthcheck is not passed, vm is outofservice. VM itself is up and running. Used default m4.large... Any advice?

Best regards, Alex.

How to add a log to the ELK

Hi,

Kudos for this project! Great work.

I've managed to create the ELK, and now i cant figure how to add a new log to it.

I have two cases:

Add log from an instance inside the VPC
add log from a machine outside the VPC

Any guidance or tip will be more than helpful.

Thanks
Tal

Security: cookie_secret is hard-coded

The cookie_secret in config/config.js should be a parameter.

ELKStackMultiAZinPrivateVPC

Hi Guys,

Thanks for this! Impressive to say the least. Got a quick one for you. I try now to deploy this stack but receive the following error:

12:58:24 UTC+0200 ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack ELK The following resource(s) failed to create: [ElkAutoscalingGroup]. . Rollback requested by user.
12:58:23 UTC+0200 CREATE_FAILED AWS::AutoScaling::AutoScalingGroup ElkAutoscalingGroup The availability zones of the specified subnets and the AutoScalingGroup do not match

According to the parameters I give a private subnet and a private subnet on two different AZs. Meaning the private subnet is on EU-WEST-1B and the public subnet is on EU-WEST-1A.

I read a little about it from Netflix from their asgard project. Is my VPC configuration wrong to launch this ELK template to a none default VPC?

Blank white screen

Hi Guys,

Just tried it again with the updated script and it's a blank white screen still appears with the following error: 503 (Service Unavailable: Back-end server is at capacity)

I'm using the ElkInstanceType 't2.medium' and the subnets are the same, it shouldn't matter if it wasn't is private right?

Update README documentation

Top level README should include references to:

new config option allowed_domain
Route53 CNAME being optional
link to dashboard config howto
links to where head and paramedic are located eg. http://<host>/__es/_plugin/paramedic/

AMI does not exist

AMI ami-cb4986bc cannot be found

Blank white screen:

With this http error:

Failed to load resource: the server responded with a status of 503 (Service Unavailable: Back-end server is at capacity)

Any ideas?
Thanks for your hardwork.

Authentication Problems

I have followed the instructions, and have launched this stack both in a private VPC and a public VPC.

No matter what I do though I get an unauthorized message when I try and navigate to the Kibana URL. I did follow the steps to hook up to Google, but I feel like I must be missing something.

Do not hardcode google apps domain

As referred to in #2 we should not hardcode the google app allowed domain to guardian.co.uk.

Housekeeping job for old indexes

There should be a scheduled job that deletes indexers older than a configurable number of days. eg. 2 weeks.

nodejs application crashes when accessing undefined property to match domains to config on google oauth.

find user does not work correctly... also its no longer "email" its "emails"...

if (profile._json.email.split('@')[1] === config.allowed_domain) {

{ kind: 'plus#person',
  etag: '"XXXX"',
  gender: 'male',
  emails: [ { value: '[email protected]', type: 'account' } ],
  objectType: 'person',
  id: '106294364523746662729',
  displayName: 'Andrew Johnstone',
  name: { familyName: 'Johnstone', givenName: 'Andrew' },
  url: 'https://plus.google.com/106294364523746662729',
  image: 
   { url: 'https://lh3.googleusercontent.com/-tSOnlR74eYc/AAAAAAAAAAI/AAAAAAAAAE0/wbeKIwt_vLw/photo.jpg?sz=50',
     isDefault: false },
  organizations: 
   [ { name: 'PhotoBox',
       title: 'Core Engineer',
       type: 'work',
       primary: false } ],
  isPlusUser: true,
  language: 'en',
  circledByCount: 29,
  verified: false,
  domain: 'photobox.com' }

Investigate what is required to upgrade to Elastic Stack 5.0

Elasticsearch released version 5.0 of the newly named Elastic Stack.

Is it worth upgrading, waiting to see where this goes, or putting this project into maintenance mode?

Kibana Release notes ... https://www.elastic.co/guide/en/kibana/5.0/release-notes.html

InternalOAuthError: failed to fetch user profile

On launching the stack the Kibana webpage responds with the following error:

InternalOAuthError: failed to fetch user profile (status: 403 data: {
"error": {
 "errors": [
  {
   "domain": "usageLimits",
   "reason": "accessNotConfigured",
   "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration.",
   "extendedHelp": "https://console.developers.google.com"
  }
 ],
 "code": 403,
 "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration."
}
}
)
   at /opt/logcabin/node_modules/passport-google-oauth/lib/passport-google-oauth/oauth2.js:88:28
   at passBackControl (/opt/logcabin/node_modules/passport-google-oauth/node_modules/passport-oauth/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:123:9)
   at IncomingMessage.<anonymous> (/opt/logcabin/node_modules/passport-google-oauth/node_modules/passport-oauth/node_modules/passport-oauth2/node_modules/oauth/lib/oauth2.js:142:7)
   at IncomingMessage.EventEmitter.emit (events.js:117:20)
   at _stream_readable.js:920:16
   at process._tickCallback (node.js:415:13)

Template validation error undefined resource ElkLoadBalancer

Template validation error: Template error: instance of Fn::GetAtt references undefined resource ElkLoadBalancer

AMI doesn't start ES?

Saw this in the AMI build log:

[18:26:57][Step 1/1]     amazon-ebs: ### NOT starting elasticsearch by default on bootup, please execute
[18:26:57][Step 1/1]     amazon-ebs: sudo update-rc.d elasticsearch defaults 95 10

Suspect we should do something about that.