Monitor Your PHP/Java Applications with the Elastic Stack (Workshop)

Monitor Your PHP / Java Apps with the Philipp Krenn @xeraa

Developer

Disclaimer I build highly monitored Hello World apps

Agenda Monitor Java (preconfigured) Some Security Monitor PHP (configure yourself)

Code https://github.com/xeraa/ microservice-monitoring

Cloud

Workshop SSH: ssh elastic-admin@workshop-<#>.xeraa.wtf elastic-admin / secret Elasticsearch: http://localhost:9200 admin / secret Kibana: http://workshop-<#>.xeraa.wtf:5601 admin / secret Java Application: http://workshop-<#>.xeraa.wtf

Java Application

Simple No discovery, load-balancing,...

Monitor Java

Kibana Monitoring Overview of the Elastic Stack components

Metricbeat System [Metricbeat System] Overview and [Metricbeat System] Host overview dashboards See the memory spike every 5min

Time Series Visual Builder Sum of system.memory.actual.used.bytes Sum of system.process.memory. rss.bytes grouped by the term system.process.name and moved to the negative y-axis with a Math step

Packetbeat Call /, /good, /bad, and /foobar [Packetbeat] Overview, [Packetbeat] Flows, [Packetbeat] HTTP, and [Packetbeat] DNS Tunneling dashboards

Packetbeat Raw events in Discover Process enrichment for nginx, Java, and the APM server

Filebeat Modules [Filebeat Nginx] Access and error logs, [Filebeat System] Syslog dashboard, and [Osquery Result] Compliance pack dashboards

Filebeat Raw events in Discover /good: MDC logging under json.name and the context view for one log message meta.* and host.* information

Filebeat /bad and /null: Stacktraces by filtering down on application:java and json.severity:ERROR Visualize json.stack_hash

Heartbeat Heartbeat HTTP monitoring dashboard Stop and start the frontend application while auto refreshing

Metricbeat nginx [Metricbeat Nginx] Overview dashboard

Metricbeat HTTP /health and /metrics endpoints Collected information in Discover

Metricbeat JMX Same data Visualize the heap usage: jolokia. metrics.memory.heap_usage.used divided by the max of jolokia. metrics.memory.heap_usage.max

Annotations Add changes from the events index

Some Security

Filebeat Modules [Filebeat Auditd] Audit Events, [Filebeat System] New users and groups, and [Filebeat System] Sudo commands dashboards

https://github.com/linux-audit "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."

Auditd Monitors File and network access System calls Commands run by a user Security events

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Understanding Logs https://access.redhat.com/ documentation/en-us/ red_hat_enterprise_linux/7/html/ security_guide/secunderstanding_audit_log_files

Auditbeat [Auditbeat Auditd] Overview dashboard

Fail SSH ssh elastic-user@xeraa.wtf with a bad password [Filebeat System] SSH login attempts dashboard

Success ssh elastic-user@xeraa.wtf with a good password Run service nginx restart and pick the elastic-admin user

Audit Event [Auditbeat Auditd] Executions dashboard filter elastic-user

Audit Event cat /etc/passwd Filter for tags is developers-passwdread in Discover

Power Abuse ssh elastic-admin@xeraa.wtf sudo cat /home/elastic-user/secret.txt Tag power-abuse in Discover

File Integrity Change something in /var/www/html/index.html [Auditbeat File Integrity] Overview dashboard

Monitor PHP

Heartbeat Add HTTP port 88

Packetbeat Add HTTP on port 88 Add MySQL on port 3306 - type: mysql ports: [3306] Add packetbeat.procs for MySQL

Metricbeat MySQL - module: mysql metricsets: ["status"] hosts: ["tcp(127.0.0.1:3306)/"] username: <user> password: <password>

Metricbeat php-fpm - module: php_fpm metricsets: ["pool"] period: 10s status_path: "/status" hosts: ["http://localhost"]

Filebeat Module MySQL

Filebeat Collect /var/www/html/silverstripe/ logs/*.json

More

a Alerting a Gold License and part of the Elastic Cloud

b Machine Learning Anomaly Detection of Time Series Data b Platinum License and part of the Elastic Cloud

Conclusion

System metrics & network Filebeat modules & Auditbeat Application logs

Uptime Application metrics Request tracing

Code https://github.com/xeraa/ microservice-monitoring

Meetup Tonight https://www.meetup.com/ElasticZagreb/events/255086636/

Questions? Philipp Krenn PS: Sticker @xeraa