Elastic Streaming Output and Integration

George Alpizar
George Alpizar
  • Updated

Overview

The Elastic output will stream analytics and insights to your Elasticsearch environment.

Before you begin

We recommend that you review and complete the steps listed in the Configure Elastic Index for the Agent document.

  • This process will help you prepare your Elasticsearch environment to become an Edge Delta streaming target.

Review Parameters

Review the following parameters that you can configure in the Edge Delta App:

YAML Description
name

Enter a descriptive name for the output or integration.

For outputs, this name will be used to map this destination to a workflow.

This parameter is required. 

Review the following example:

name: elastic-cloud
integration_name

This parameter only appears when you create an individual output.

This parameter refers to the organization-level integration created in the Integrations page. If you enter this name, then the rest of the fields will be automatically populated.

If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name field. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.

This parameter is optional. 

Review the following example:

integration_name: orgs-elastic
type

Enter elastic.

This parameter is required. 

Review the following example:

type: elastic
index

Enter the name of the Elastic index (or index template) where Edge Delta should stream the data. 

This parameter is optional. 

Review the following example:

index: "index name"
cloud_id

Enter the cloud ID of the Elasticsearch backend.

You must enter a Cloud ID or an Address

This parameter is optional. 

Review the following example:

cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"
user

Enter the username of the Elasticsearch credentials.

test

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

This parameter is optional. 

Review the following example:

user: elastic
password

Enter the password for the connecting user.

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

This parameter is optional. 

Review the following example:

password: '{{ Env "TEST_ELASTIC_PWD" }}'
token

Enter the Elasticsearch API key.

Note

For authentication, you must provide either a token or a user/password.

You cannot enter both parameters.

This parameter is optional. 

Review the following example:

token: "<ADD ELASTICSEARCH TOKEN>"
address

Enter the address list of the Elasticsearch backend.

You must enter a Cloud ID or an Address

To locate your Elasticsearch URL, review these forum topics from Elasticsearch: 

This parameter is optional. 

Review the following example:

address:
  - opensearch_domain_endpoint
region

Enter the AWS region destination to send logs.

This parameter is optional. 

Review the following example:

region: "us-west-2"
role_arn

To assume an AWS IAM role, enter the account ID and role name:

  • role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"

This parameter is optional. 

Review the following example:

role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
external_id

Enter a unique identifier to avoid a confused deputy attack.

This parameter is optional. 

Review the following example:

external_id: "external_id"
send_as_json

Enter true or false to enable or disable this feature. 

If you enter true, then Edge Delta will send logs without a defined JSON object wrapping. In other words, no metadata will be attached. 

The configured index should handle the mapping of the fields in the JSON log. 

This parameter is optional. 

Review the following example:

send_as_json: true
apm_server_url

This parameter only applies if you are using an elastic APM tracer.

  • Specifically, this parameter will enable forwarding to the Elastic APM server. 

This parameter is optional. 

Review the following example:

apm_server_url: http://localhost:8200
apm_token

This parameter only applies if you are using an elastic APM tracer.

  • Specifically, this parameter will enable forwarding to the Elastic APM server and the APM server URL. 
  • If you do not specify a token, then anonymous authentication will be used.  

This parameter is optional. 

Review the following example:

apm_token: test-token

edac_enrichment:

   edac_id_field

Enter a field name to display in the final JSON object. The EDAC's ID will display as a value. 

This parameter is optional. 

Review the following example:

edac_enrichment:
  edac_id_field: "edac_id"

edac_enrichment:

 metric_name_field

Enter a field name to display in the final JSON object. The EDAC's metric name will display as a value. 

This parameter is optional. 

Review the following example:

edac_enrichment: 
  metric_name_field: "name"
custom_tags

This parameter defines key-value pairs that are streamed with every request.

This parameter is optional. 

Review the following example:

      custom_tags:
        "app": "test"  
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"
        "logical_source": '{{ index .CustomTags "logicalSource" }}' 
        "url": '{{ index .ObservationTags "url" }}' 
        "cluster": '{{ index .ObservationTags "cluster" }}'
features

This parameter defines which data types to stream to the destination.

If you do not provide a value, then all will be set.

To learn more, review the Review Feature Types section in Stream Outputs and Integrations Overview.

This parameter is optional. 

Review the following example:

features: metric,cluster,context
buffer_ttl

Enter a length of time to retry failed streaming data.

After this length of time is reached, the failed streaming data will no longer be tried.

This parameter is optional. 

Review the following example: 

buffer_ttl: 2h
buffer_path

Enter a folder path to temporarily store failed streaming data.

The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached.

If you enter a path that does not exist, then the agent will create directories, as needed.

This parameter is optional.

Review the following example:

buffer_path: /var/log/edgedelta/pushbuffer/
buffer_max_bytesize

Enter the maximum size of failed streaming data that you want to retry.

If the failed streaming data is larger than this size, then the failed streaming data will not be retried.

This parameter is optional.

Review the following example:

buffer_max_bytesize: 100MB

Review Sample Configuration

The following sample configuration displays an output without the name of the organization-level integration:

    - name: elastic-cloud
      type: elastic
      index: "index name"
      cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"
      token: "<ADD ELASTICSEARCH TOKEN>"
      features: metric,cluster,context
    - name: elastic-local
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
    - name: elastic-send-as-is
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
      features: edac
      send_as_is: true
      edac_enrichment:
        edac_id_field: "edac_id" 
        metric_name_field: "name"
    - name: elastic-opensearch-with-rolearn
      type: elastic
      index: "index name"
      region: "us-west-2"
      role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
      external_id: "external_id"
      address:
        - opensearch_domain_endpoint
      custom_tags:
        "app": "test"  
        "region": "us-west-2"
        "File Path": "{{.FileGlobPath}}"
        "K8s PodName": "{{.K8sPodName}}"
        "K8s Namespace": "{{.K8sNamespace}}"
        "K8s ControllerKind": "{{.K8sControllerKind}}"
        "K8s ContainerName": "{{.K8sContainerName}}"
        "K8s ContainerImage": "{{.K8sContainerImage}}"
        "K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
        "ECSCluster": "{{.ECSCluster}}"
        "ECSContainerName": "{{.ECSContainerName}}"
        "ECSTaskVersion": "{{.ECSTaskVersion}}"
        "ECSTaskFamily": "{{.ECSTaskFamily}}"
        "DockerContainerName": "{{.DockerContainerName}}"
        "ConfigID": "{{.ConfigID}}"
        "Host": "{{.Host}}"
        "Source": "{{.Source}}"
        "SourceType": "{{.SourceType}}"
        "Tag": "{{.Tag}}"
        "logical_source": '{{ index .CustomTags "logicalSource" }}'  
        "url": '{{ index .ObservationTags "url" }}' 
        "cluster": '{{ index .ObservationTags "cluster" }}' 
    - name: elastic-opensearch
      type: elastic
      index: "index name"
      region: "us-west-2"
      address:
        - opensearch_domain_endpoint
    - name: elastic-apm
      type: elastic
      index: "index name"
      user: elastic
      password: '{{ Env "TEST_ELASTIC_PWD" }}'
      address:
        - elasticnode1
      features: log
      apm_server_url: http://localhost:8200
      apm_token: test-token

Related Documentation

To learn how to set up an elastic index that works with the Edge Delta agent, see Configure an Elastic Index for the Agent.

Share this document