Link

Configuring Logstash/Kibana for Viewing Zebrium Incidents

In Logstash

Configuring Incident Input from Zebrium (in Logstash)

Incidents detected by Zebrium are sent to Logstash using a secure webhook endpoint and are output to a new ze_incident_webhook index in Elasticsearch.

  • Incident summary and drill down into the Incident events in Elasticsearch is available directly from the Zebrium ML-Detected Incidents canvas in Kibana.
  • The secure end-point for the Zebrium outgoing webhook uses the Logstash HTTP Input Plugin with SSL and Authentication enabled.
  • Please see the above link for all options for configuring your endpoint security as required by your company‚Äôs security policy.
  • The example configuration below, shows the endpoint configured with the appropriate private and public keys for HTTPS. Your configuration may differ.
  • The configured port (31311 in the example below) must be accessible from the Internet (specifically by Zebrium) for inbound HTTPS POST requests.
  1. Edit the appropriate Logstash configuration file to define the required ZELK Stack webhook input definition.
    input {
      http {
        port            => 31311
        user            => <USER_NAME>
        password        => <USER_PASSWORD>
        ssl             => true
        ssl_certificate => "/etc/logstash/conf.d/public.pem"
        ssl_key         => "/etc/logstash/conf.d/private.pem"
        type            => "ze_incident_webhook"
      }
    }
    filter {
      if [type] == "ze_incident_webhook" {
        json {
          source => "message"
        }
        date {
          match    => [ "ze_incident_epoch_ts", "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'" ]
          timezone => "America/Los_Angeles"
        }
      }
    }
    output {
      if [type] == "ze_incident_webhook" {
        elasticsearch {
          hosts => ["localhost:9200"]
          index => "ze_incident_webhook"
        }
      }
    }
    
  2. Note the USER_NAME and USER_PASSWORD. This will be used when "Configuring ZELK Stack in the Zebrium UI".
  3. Note the full URL including the port to your endpoint (e.g. https://zelk.mycompany.com:31311). This will be used when "Configuring ZELK Stack in the Zebrium UI".
  4. Note the name of the index (e.g. ze_incident_webhook). This will be used when "Installing the Zebrium Incident Canvas" in Kibana.
  5. Save your configuration file.

Reload Logstash Configuration

Reload your Logstash configuration (see here) to pickup all changes.

In Kibana

Installing the Zebrium ML-Detected Incident Canvas

  1. Download the Incident Canvas JSON file (zebrium_incident_canvas-workpad.json) from Zebrium Github
  2. Navigate to your Kibana Canvas main page.
  3. Click on Import workpad JSON file and select the downloaded file.
  4. Navigate to, and open the ZELK Stack Incident Dashboard.
  5. Click on the eye icon to show editing controls.
  6. Click on the center of the canvas to gain focus.
  7. Click on the Data tab under Selected Element to the right of the canvas.
  8. Edit the SQL SELECT statement and change FROM ze_incident_webhook to the name of the index you noted in "Configuring Incident Input from Zebrium" Step 4.
  9. Click Save
  10. Create an index pattern for the name of the index you noted in "Configuring Incident Input from Zebrium" Step 4 (this can only be done after Zebrium has detected its first incident).

In Zebrium

Configuring ZELK Stack in the Zebrium UI

NOTE: This step can only be done after data has been ingested.

  1. From the User menu area, select the Account Settings gear icon.
  2. Click the ZELK Stack tab.
  3. Click the Create ZELK Stack button.
  4. Enter the Logstash http(s) Webhook URL from "Configuring Incident Input from Zebrium" Step 3.
  5. Enter the Kibana URL (this is not a public-facing URL) of your Kibana instance from "Installing the Zebrium Incident Canvas" Step 3.
  6. Enter the Elastic Index ID from "Installing the Zebrium Incident Canvas" Step 4.
  7. Enter the Logstash Webhook Username from "Configuring Incident Input from Zebrium" Step 2.
  8. Enter the Logstash Webhook Password from "Configuring Incident Input from Zebrium" Step 2.
  9. Click Create to save your ZELK Stack integration.

Table of contents