Configuration and Discovery

Download this manual as a PDF file

This section describes how to configure AWS component devices in ELK stacks for monitoring by SL1 using the "ELK: AWS CloudTrailPowerPack.

Prerequisites for Monitoring AWS ELK Stacks

To configure SL1 to monitor AWS component devices in ELK stacks using the "ELK: AWS CloudTrailPowerPack, you must first:

  • Install the "Amazon Web ServicesPowerPack.
  • Create a virtual device in SL1 to represent your AWS service.
  • Discover AWS component devices by manually aligning the "AWS Account Discovery" Dynamic Application to the virtual device.
  • Ensure that your AWS CloudTrail bucket is properly configured for all read/write events.

For more information about the "Amazon Web ServicesPowerPack, including how to install the PowerPack and discover AWS devices, see the section on Monitoring Amazon Web Services. 

Creating a Basic/Snippet Credential

To configure SL1 to monitor an ELK: AWS CloudTrailsystem, you must first create a Basic/Snippet credential. This credential allows the Dynamic Applications in the "ELK: AWS CloudTrailPowerPack to communicate with your ELK: AWS CloudTrail system.

The PowerPack includes an example Basic/Snippet credential that you can edit and save for your own use.

To create a Basic/Snippet credential:

  1. Go to the Credentials page (Manage > Credentials).
  2. Locate the "ELK: AWS Example" credential, then click its Actions icon () and select Duplicate from the drop-down field. The "ELK: AWS Example copy" credential appears.
  3. Click the Action icon () for the "ELK: AWS Example copy" credential, then select Edit. The Edit Credential page appears.
  4. Edit the ELK: AWS Cloudtrail Basic/Snippet credential

  5. Enter values in the following fields:
  • Name. Enter a new name for the credential. This field is required.
  • All Organizations. Toggle on (blue) to align the credential to all organizations, or toggle off (gray) and then select one or more specific organizations from the Select the organizations the credential belongs to drop-down field to align the credential with those specific organizations.
  • Timeout. Enter the time, in milliseconds, after which SL1 will stop trying to communicate with the ELK: AWS CloudTrail device. The default value is 5000. This field is required.
  • Hostname/IP. Keep the default IP address. The default is 10.2.8.205.
  • Port. Keep the default. The default value is "9200".
  • Username. Enter the username associated with the ELK: AWS CloudTrail administrator account.
  • Password. Enter the password associated with the ELK: AWS CloudTrail administrator account.
  1. Click Save & Close.

Creating an Basic/Snippet Credential in the SL1 Classic User Interface

To use the Dynamic Applications in the "ELK: AWS CloudTrailPowerPack, you must first define a credential in SL1. This credential enables the Dynamic Applications in the "ELK: AWS CloudTrailPowerPack to monitor your AWS component devices in ELK stacks. The PowerPack includes a sample Basic/Snippet credential (ELK: AWS Example) that you can use as a template.

To define an AWS ELK credential:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Click the wrench icon () for the ELK: AWS Example credential. The Credential Editor modal page appears.
  3. Enter values in the following fields:
  • Credential Name. Type a new name for your AWS ELK credential.
  • Hostname/IP. Type the IP address or hostname for the Logstash server that collects data for the AWS components in your ELK stack.
  • Port. Type "9200".

Use the default values for the remaining fields.

The Basic/Snippet credential requires values in the Username and Password fields, but the values themselves do not matter.

  1. Click the Save As button, and then click OK.

Discovering the AWS ELK Devices

To monitor your ELK: AWS CloudTrail system, you must run a discovery session to discover the server on which ELK: AWS CloudTrail is installed.

To create and run a discovery session that will discover an ELK: AWS CloudTrail appliance:

  1. Go to the Devices page () or the Discovery Sessions page (Devices > Discovery Sessions) and click the Add Devices button.
  2. Click the Unguided Network Discovery Workflow button. Additional information about that requirements for discovery appears in the General Information pane to the right.
  3. RabbitMQ Unguided Network Discovery Workflow

  4. Click Select. The three-step wizard appears starting with the Step 1 Basic Information tab.
  5. Complete the following fields:
  • Discovery Session Name. Type a unique name for this discovery session. This name is displayed in the list of discovery sessions on the Discovery Sessions tab.
  • Description.Optional. Type a short description of the discovery session. You can use the text in this description to search for the discovery session on the Discovery Sessions tab.
  • Select the organization to add discovered devices to. Select the name of the organization to which you want to add the discovered devices.
  1. Click Next. The Step 2 Credential Selection tab of the wizard appears.
  2. On the Credential Selection tab, locate and select the Basic/Snippet credential you created for ELK: AWS CloudTrail appliances.
  3. Click Next. The Step 3 Discovery Session Details tab of the wizard appears.
  4. Complete the following fields:
  • List of IP/Hostnames. Type the IP address for the ELK: AWS CloudTrail appliance.
  • Which collector will discover these devices?. Required. Select an existing collector to monitor the discovered devices.
  • Run after save. Toggle on (blue) to run this discovery session as soon as you save the session.
  • Advanced options. Click the down arrow () to complete the following fields:
    • Discover Non-SNMP. Toggle on (blue) to enable this setting.
    • Model Devices. Toggle on (blue) to enable this setting.
    • Select Device Template. If you configured an ELK: AWS CloudTrail device template, select it here. Otherwise, leave the default selection.
  1. If you enabled the Run after save option, click the Save and Run button. The discovery session will run and the Discovery Logs page will display any relevant log messages. If the discovery session locates and adds any devices, the Discovery Logs page will include a link to the Device Investigator page for the discovered device.
  2. If you did not enable the Run after save option, click the Save and Close button. The Discovery Sessions page (Devices > Discovery Sessions) will display the new discovery session.

Aligning the AWS ELK Dynamic Applications in the SL1 Classic User Interface

To monitor your AWS component devices in ELK stacks, you must manually align the "ELK: AWS Alignment" Dynamic Application with the AWS virtual device. When you do so, the remaining Dynamic Applications from the "ELK: AWS CloudTrailPowerPack automatically align to the appropriate AWS component devices.

To manually align the "ELK: AWS Alignment" Dynamic Application to your virtual device:

  1. Go to the Device Manager page (Devices > Classic Devices, or Registry > Devices > Device Manager in the classic SL1 user interface).
  2. Locate your AWS virtual device and click its wrench icon ().
  3. In the Device Administration panel, click the Collections tab. The Dynamic Application Collections page appears.
  4. Click the Actions button, and then select Add Dynamic Application from the menu.
  5. In the Dynamic Application Alignment modal page, select ELK: AWS Alignment in the Dynamic Applications field.
  6. In the Credentials field, select the credential you created for your AWS ELK components.
  7. Click Save.

By default, the "ELK: AWS Alignment" Dynamic Application begins collecting data after 60 minutes. If you want to begin collecting data immediately, click the lightning bolt icon () for the "ELK: AWS Alignment" Dynamic Application on the Dynamic Application Collections page.

When you align the "ELK: AWS Alignment" Dynamic Application to the AWS root device, SL1 then aligns the following Dynamic Application from the "ELK: AWS CloudTrailPowerPack to the appropriate component devices:

  • ELK: AWS CloudTrail
  • ELK: AWS CloudTrail EC2 Stats

To view the data collected by the "ELK: AWS CloudTrail" Dynamic Application, navigate to the Journal View page (Devices > Classic Devices > graph icon > Journals, Registry > Devices > Device Manager > graph icon > Journals in the classic SL1 user interface) and click ELK: AWS CloudTrail on the left menu.

To view the data collected by the "ELK: AWS CloudTrail EC2 Stats" Dynamic Application, navigate to the Device Performance page (Devices > Classic Devices > bar-graph icon > Performance, or Registry > Devices > Device Manager > bar-graph icon > Performance in the classic SL1 user interface) and click ELK: AWS CloudTrail on the left menu.