Monitor Your PHP/Java Applications with the Elastic Stack (Workshop)

A presentation at Webcamp Zagreb in October 2018 in Zagreb, Croatia by Philipp Krenn

Slide 1

Slide 1

Monitor Your PHP / Java Apps with the Philipp Krenn @xeraa

Slide 2

Slide 2

Slide 3

Slide 3

Slide 4

Slide 4

Slide 5

Slide 5

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

Slide 9

Slide 9

Slide 10

Slide 10

Slide 11

Slide 11

Slide 12

Slide 12

Developer

Slide 13

Slide 13

Disclaimer I build highly monitored Hello World apps

Slide 14

Slide 14

Agenda Monitor Java (preconfigured) Some Security Monitor PHP (configure yourself)

Slide 15

Slide 15

Code https://github.com/xeraa/ microservice-monitoring

Slide 16

Slide 16

Cloud

Slide 17

Slide 17

Slide 18

Slide 18

Slide 19

Slide 19

Slide 20

Slide 20

Workshop SSH: ssh elastic-admin@workshop-<#>.xeraa.wtf elastic-admin / secret Elasticsearch: http://localhost:9200 admin / secret Kibana: http://workshop-<#>.xeraa.wtf:5601 admin / secret Java Application: http://workshop-<#>.xeraa.wtf

Slide 21

Slide 21

Java Application

Slide 22

Slide 22

Simple No discovery, load-balancing,...

Slide 23

Slide 23

Slide 24

Slide 24

Monitor Java

Slide 25

Slide 25

Kibana Monitoring Overview of the Elastic Stack components

Slide 26

Slide 26

Metricbeat System [Metricbeat System] Overview and [Metricbeat System] Host overview dashboards See the memory spike every 5min

Slide 27

Slide 27

Time Series Visual Builder Sum of system.memory.actual.used.bytes Sum of system.process.memory. rss.bytes grouped by the term system.process.name and moved to the negative y-axis with a Math step

Slide 28

Slide 28

Slide 29

Slide 29

Packetbeat Call /, /good, /bad, and /foobar [Packetbeat] Overview, [Packetbeat] Flows, [Packetbeat] HTTP, and [Packetbeat] DNS Tunneling dashboards

Slide 30

Slide 30

Packetbeat Raw events in Discover Process enrichment for nginx, Java, and the APM server

Slide 31

Slide 31

Filebeat Modules [Filebeat Nginx] Access and error logs, [Filebeat System] Syslog dashboard, and [Osquery Result] Compliance pack dashboards

Slide 32

Slide 32

Filebeat Raw events in Discover /good: MDC logging under json.name and the context view for one log message meta.* and host.* information

Slide 33

Slide 33

Filebeat /bad and /null: Stacktraces by filtering down on application:java and json.severity:ERROR Visualize json.stack_hash

Slide 34

Slide 34

Slide 35

Slide 35

Heartbeat Heartbeat HTTP monitoring dashboard Stop and start the frontend application while auto refreshing

Slide 36

Slide 36

Metricbeat nginx [Metricbeat Nginx] Overview dashboard

Slide 37

Slide 37

Metricbeat HTTP /health and /metrics endpoints Collected information in Discover

Slide 38

Slide 38

Metricbeat JMX Same data Visualize the heap usage: jolokia. metrics.memory.heap_usage.used divided by the max of jolokia. metrics.memory.heap_usage.max

Slide 39

Slide 39

Annotations Add changes from the events index

Slide 40

Slide 40

Slide 41

Slide 41

Slide 42

Slide 42

Some Security

Slide 43

Slide 43

Filebeat Modules [Filebeat Auditd] Audit Events, [Filebeat System] New users and groups, and [Filebeat System] Sudo commands dashboards

Slide 44

Slide 44

https://github.com/linux-audit "auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."

Slide 45

Slide 45

Auditd Monitors File and network access System calls Commands run by a user Security events

Slide 46

Slide 46

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing

Slide 47

Slide 47

Understanding Logs https://access.redhat.com/ documentation/en-us/ red_hat_enterprise_linux/7/html/ security_guide/secunderstanding_audit_log_files

Slide 48

Slide 48

Auditbeat [Auditbeat Auditd] Overview dashboard

Slide 49

Slide 49

Fail SSH ssh elastic-user@xeraa.wtf with a bad password [Filebeat System] SSH login attempts dashboard

Slide 50

Slide 50

Success ssh elastic-user@xeraa.wtf with a good password Run service nginx restart and pick the elastic-admin user

Slide 51

Slide 51

Audit Event [Auditbeat Auditd] Executions dashboard filter elastic-user

Slide 52

Slide 52

Audit Event cat /etc/passwd Filter for tags is developers-passwdread in Discover

Slide 53

Slide 53

Power Abuse ssh elastic-admin@xeraa.wtf sudo cat /home/elastic-user/secret.txt Tag power-abuse in Discover

Slide 54

Slide 54

File Integrity Change something in /var/www/html/index.html [Auditbeat File Integrity] Overview dashboard

Slide 55

Slide 55

Monitor PHP

Slide 56

Slide 56

Heartbeat Add HTTP port 88

Slide 57

Slide 57

Packetbeat Add HTTP on port 88 Add MySQL on port 3306 - type: mysql ports: [3306] Add packetbeat.procs for MySQL

Slide 58

Slide 58

Metricbeat MySQL - module: mysql metricsets: ["status"] hosts: ["tcp(127.0.0.1:3306)/"] username: <user> password: <password>

Slide 59

Slide 59

Metricbeat php-fpm - module: php_fpm metricsets: ["pool"] period: 10s status_path: "/status" hosts: ["http://localhost"]

Slide 60

Slide 60

Filebeat Module MySQL

Slide 61

Slide 61

Filebeat Collect /var/www/html/silverstripe/ logs/*.json

Slide 62

Slide 62

More

Slide 63

Slide 63

a Alerting a Gold License and part of the Elastic Cloud

Slide 64

Slide 64

Slide 65

Slide 65

b Machine Learning Anomaly Detection of Time Series Data b Platinum License and part of the Elastic Cloud

Slide 66

Slide 66

Slide 67

Slide 67

Conclusion

Slide 68

Slide 68

Slide 69

Slide 69

System metrics & network Filebeat modules & Auditbeat Application logs

Slide 70

Slide 70

Uptime Application metrics Request tracing

Slide 71

Slide 71

Code https://github.com/xeraa/ microservice-monitoring

Slide 72

Slide 72

Meetup Tonight https://www.meetup.com/ElasticZagreb/events/255086636/

Slide 73

Slide 73

Questions? Philipp Krenn PS: Sticker @xeraa