ELK-based Analytics Installation Guide¶
This guide shows you how to configure ELK-based Analytics for WSO2 Identity Server. ELK-based Analytics solution supports ELK version 8.X.X.
Enable Analytics in WSO2 Identity Server¶
Follow the steps below to enable ELK-based analytics in WSO2 Identity Server.
-
Download and install WSO2 Identity Server.
Note
For detailed information, see Install WSO2 Identity Server.
-
Open the
deployment.toml
file found in the{IS_HOME}/repository/conf/
directory and add the following configuration.[analytics.elk] enable=true
-
Restart WSO2 Identity Server.
Enable Logs in WSO2 Identity Server¶
-
Open the
log4j2.properties
file found in the<IS_HOME>/repository/conf
directory and add the following configurations.-
Add
ANALYTICS_EVENT_LOGFILE
to the list of all appenders as follows:
appenders = {other appenders} , ANALYTICS_EVENT_LOGFILE
-
Add the following appender configurations:
appender.ANALYTICS_EVENT_LOGFILE.type = RollingFile appender.ANALYTICS_EVENT_LOGFILE.name = ANALYTICS_EVENT_LOGFILE appender.ANALYTICS_EVENT_LOGFILE.fileName =${sys:carbon.home}/repository/logs/analytics_events.log appender.ANALYTICS_EVENT_LOGFILE.filePattern = ${sys:carbon.home}/repository/logs/analytics_events-%d{MM-dd-yyyy}.%i.log appender.ANALYTICS_EVENT_LOGFILE.layout.type = PatternLayout appender.ANALYTICS_EVENT_LOGFILE.layout.pattern=TID: [%tenantId] [%appName] [%d] [%X{Correlation-ID}] %5p {%c} — %mm%ex%n appender.ANALYTICS_EVENT_LOGFILE.policies.type = Policies appender.ANALYTICS_EVENT_LOGFILE.policies.time.type = TimeBasedTriggeringPolicy appender.ANALYTICS_EVENT_LOGFILE.policies.time.interval = 1 appender.ANALYTICS_EVENT_LOGFILE.policies.time.modulate = true appender.ANALYTICS_EVENT_LOGFILE.policies.size.type = SizeBasedTriggeringPolicy appender.ANALYTICS_EVENT_LOGFILE.policies.size.size=10MB appender.ANALYTICS_EVENT_LOGFILE.strategy.type = DefaultRolloverStrategy appender.ANALYTICS_EVENT_LOGFILE.strategy.max = 20 appender.ANALYTICS_EVENT_LOGFILE.filter.threshold.type = ThresholdFilter appender.ANALYTICS_EVENT_LOGFILE.filter.threshold.level = INFO
Note
To change the name of the log file and its location, change the fileName and filePattern parameters accordingly.
-
Add
org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter
to the list of all loggers as follows:loggers = {other loggers}, org-wso2-carbon-event.output-adapter-logger-LoggerEventAdapter
-
Add the following logger configurations.
logger.org-wso2-carbon-event.output-adapter-logger-LoggerEventAdapter.name=org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter logger.org-wso2-carbon-event.output-adapter-logger-LoggerEventAdapter.level=INFO logger.org-wso2-carbon-event.output-adapter-logger-LoggerEventAdapter.appenderRef.CUSTOM_LOGFILE.ref=ANALYTICS_EVENT_LOGFILE
Note
The
analytics_events.log
file will be rolled each day or when the log size reaches the limit of 1000 MB by default. Furthermore, only 10 revisions will be kept and older revisions will be deleted automatically. You can change these configurations by updating the appender configurations above.
-
-
Restart WSO2 Identity Server.
Configure ELK¶
Follow the guides mentioned below to install the ELK components.
Install Elasticsearch¶
-
Install Elasticsearch according to your operating system.
-
Make sure Elasticsearch is up and running.
Note
Take note of the password generated for the
elastic
user.
Install Filebeat¶
-
Install Filebeat according to your operating system.
-
Open the filebeat.yml file in the root directory and add this configuration.
Info
- Replace
<IS_HOME>
with the location of your WSO2 Identity Server installation. - To configure Filebeat to mask sensitive information in logs, follow this guide.
- Replace
Install Logstash¶
- Install Logstash according to your operating system.
-
In the Logstash directory, create a file with the .conf extension and add these configurations.
Info
- Set a password for the
elastic
super user. - Replace
<ELASTICSEARCH_HOME>
,<ELASTICSEARCH_USERNAME>
,<ELASTICSEARCH_USER_PASSWORD>
with the corresponding values.
- Set a password for the
-
Start the logstash server with the
-f
flag followed by the location of the configuration file you created.
Installing Kibana¶
-
Install Kibana according to your operating system and do this one time configuration.
-
Once Kibana is running, enter its web interface using the following address:
http://127.0.0.1:5601
Configure ELK Analytics Dashboards¶
-
Navigate to the Kibana installation folder and run the following command to install the Kibana Enhanced Table plugin.
./bin/kibana-plugin install https://github.com/fbaligand/kibana-enhanced-table/releases/download/vA.B.C/enhanced-table-A.B.C_X.Y.Z.zip
Info
Replace A,B,C with the plugin version and X,Y,Z with the Kibana version you have installed.
-
Restart Kibana service and log in to Kibana.
-
On the left navigation panel, under Management click Stack Management.
-
Under Stack Management > Data, click Index Management and go to its Index Templates tab.
-
Under the Index patterns column, if you have any index patterns created under the following names, delete them before moving to the next step.
- wso2-iam-alert-auth*
- wso2-iam-alert-session*
- wso2-iam-auth-raw*
- wso2-iam-session-raw*
- wso2-iam-session-time-series*
-
Download the artifact file here.
-
Under Stack Management > Kibana, click Saved Objects.
-
Click Import, add the downloaded artifact file as an import object, and click Import.
-
Once import is complete, click Done.
-
On the left navigation panel, under Analytics, click Dashboards to view the created Auth and Session dashboards.