Elastic Streaming Output and Integration

George Alpizar
George Alpizar
  • Updated

Overview

The Elastic output will stream analytics and insights to your Elasticsearch environment.

Before you begin

We recommend that you review and complete the steps listed in the Configure Elastic Index for the Agent document.

  • This process will help you prepare your Elasticsearch environment to become an Edge Delta streaming target.

Review Sample Configuration

The following sample configuration displays an output without the name of the organization-level integration:

    - name: elastic-cloud
      type: elastic
      index: "index name"
      cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"
      token: "<ADD ELASTICSEARCH TOKEN>"
      features: metric,cluster,context
    - name: elastic-local
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
    - name: elastic-send-as-is
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
      features: edac
      send_as_is: true
      edac_enrichment:
        edac_id_field: "edac_id" 
        metric_name_field: "name"
    - name: elastic-opensearch-with-rolearn
      type: elastic
      index: "index name"
      region: "us-west-2"
      role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
      external_id: "external_id"
      address:
        - opensearch_domain_endpoint
      custom_tags:
        "app": "test"  
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"
        "logical_source": '{{ index .CustomTags "logicalSource" }}'  
        "url": '{{ index .ObservationTags "url" }}' 
        "cluster": '{{ index .ObservationTags "cluster" }}' 
    - name: elastic-opensearch
      type: elastic
      index: "index name"
      region: "us-west-2"
      address:
        - opensearch_domain_endpoint
    - name: elastic-apm
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
      features: log
      apm_server_url: http://localhost:8200
      apm_token: test-token

Review Parameters

Review the following parameters that you can configure in the Edge Delta App.


name

Required 

Enter a descriptive name for the output or integration.

For outputs, this name will be used to map this destination to a workflow.

Review the following example:

name: elastic-cloud

integration_name

Optional

This parameter refers to the organization-level integration created in the Integrations page. 

If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name parameter. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.

Review the following example:

integration_name: orgs-elastic

type

Required

Enter elastic.

Review the following example:

type: elastic

index

Optional 

Enter the name of the Elastic index (or index template) where Edge Delta should stream the data. 

Review the following example:

index: "index name"

cloud_id

Optional 

Enter the cloud ID of the Elasticsearch backend.

You must enter a Cloud ID or an Address

Review the following example:

cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"

user

Optional 

Enter the username of the Elasticsearch credentials.

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

Review the following example:

user: elastic

password

Optional

Enter the password for the connecting user.

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

Review the following example:

password: '{{ Env "TEST_ELASTIC_PWD" }}'

token

Optional 

Enter the Elasticsearch API key.

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

Review the following example:

token: "<ADD ELASTICSEARCH TOKEN>"

address

Optional 

Enter the address list of the Elasticsearch backend.

You must enter a Cloud ID or an Address

To locate your Elasticsearch URL, review these forum topics from Elasticsearch: 

Review the following example:

address:
  - opensearch_domain_endpoint

region

Optional 

Enter the AWS region destination to send logs.

Review the following example:

region: "us-west-2"

role_arn

Optional

To assume an AWS IAM role, enter the account ID and role name:

  • role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"

Review the following example:

role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"

external_id

Optional 

Enter a unique identifier to avoid a confused deputy attack.

Review the following example:

external_id: "external_id"

send_as_json

Optional 

Enter true or false to enable or disable this feature. 

If you enter true, then Edge Delta will send logs without a defined JSON object wrapping. In other words, no metadata will be attached. 

The configured index should handle the mapping of the fields in the JSON log. 

Review the following example:

send_as_json: true

apm_server_url

Optional 

This parameter only applies if you are using an elastic APM tracer.

  • Specifically, this parameter will enable forwarding to the Elastic APM server. 

Review the following example:

apm_server_url: http://localhost:8200

apm_token

Optional 

This parameter only applies if you are using an elastic APM tracer.

  • Specifically, this parameter will enable forwarding to the Elastic APM server and the APM server URL. 
  • If you do not specify a token, then anonymous authentication will be used.  

Review the following example:

apm_token: test-token

edac_enrichment: edac_id_field

Optional

Enter a field name to display in the final JSON object. The EDAC's ID will display as a value. 

Review the following example:

edac_enrichment:
  edac_id_field: "edac_id"

edac_enrichment: metric_name_field

Optional 

Enter a field name to display in the final JSON object. The EDAC's metric name will display as a value. 

Review the following example:

edac_enrichment: 
metric_name_field: "name"

custom_tags

Optional 

This parameter defines key-value pairs that are streamed with every request.

Review the following example:

      custom_tags:
        "app": "test"  
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"
        "logical_source": '{{ index .CustomTags "logicalSource" }}' 
        "url": '{{ index .ObservationTags "url" }}' 
        "cluster": '{{ index .ObservationTags "cluster" }}' 

features

Optional 

This parameter defines which data types to stream to the destination.

To learn more, review the Review Feature Types section in Stream Outputs and Integrations Overview.

Review the following example: 

features: metric,cluster,context

buffer_ttl

Optional

Enter a length of time to retry failed streaming data.

After this length of time is reached, the failed streaming data will no longer be tried.

Review the following example: 

buffer_ttl: 2h

buffer_path

Optional

Enter a folder path to temporarily store failed streaming data.

The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached.

If you enter a path that does not exist, then the agent will create directories, as needed.

Review the following example: 

buffer_path: /var/log/edgedelta/pushbuffer/

buffer_max_bytesize

Optional 

Enter the maximum size of failed streaming data that you want to retry.

If the failed streaming data is larger than this size, then the failed streaming data will not be retried.

Review the following example: 

buffer_max_bytesize: 100MB

Related Documentation

To learn how to set up an elastic index that works with the Edge Delta agent, see Configure an Elastic Index for the Agent.


Share this document