Using Marvel with Shield

edit

Marvel consists of two components: a Marvel agent that you install on on each node in your cluster, and a Marvel application you install in Kibana. The Marvel agent collects and indexes metrics from Elasticsearch and you visualize the data through the Marvel dashboards in Kibana. The agent can index data on the same cluster, or send it to an external monitoring cluster.

To use Marvel with Shield enabled, you need to set up Kibana to work with Shield and create at least one user for the Marvel app. If you are using an external monitoring cluster, you also need to configure a user for the Marvel agent and configure the agent to use the appropriate credentials when communicating with the monitoring cluster.

Setting Up Marvel App Users

edit

When Shield is enabled, Kibana users are prompted to log in when they access the UI. To use the Marvel app, a user must have access to the Kibana indices and permission to read from the Marvel indices.

You set up Marvel app users on the cluster where the monitoring data is being stored. To grant all of the necessary privileges, assign the user the marvel_user role and the appropriate role you derived from the example my_kibana_user user role

  • If you’re using the default file realm, you can assign roles when you add a user, or modify the role assignments with the roles command. For example, the following command creates a user named jacknich and assigns the my_kibana_user and marvel_user roles:

    esusers useradd jacknich -r my_kibana_user,marvel_user -p password
  • If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in config/shield/role_mapping.yml. For example, the following snippet assigns the user named Jack Nicholson to the my_kibana_user and marvel_user roles:

    my_kibana_user:
      - "cn=Jack Nicholson,dc=example,dc=com"
    marvel_user:
      - "cn=Jack Nicholson,dc=example,dc=com"

The marvel_user role is defined in the default roles.yml file. For more information about deriving Kibana user roles, see Using Kibana with Shield.

Configuring Marvel Agent to Communicate with a Shield-Enabled Monitoring Cluster

edit

To configure the Marvel agent to communicate with a secured monitoring cluster:

  1. Configure a user on the monitoring cluster who has the remote_marvel_agent role, which is defined in roles.yml. For example:

    esusers useradd agent-user -r remote_marvel_agent -p password

    Remote Marvel Agent Role.

    remote_marvel_agent:
      cluster: [ "manage_index_templates" ]
      indices:
        - names: '.marvel-es-*'
          privileges: [ "all" ]
  2. On each node in the cluster being monitored, configure a Marvel HTTP exporter in elasticsearch.yml and resart Elasticsearch. In the exporter configuration, you need to:

    1. Set the type to http.
    2. Specify the location of the monitoring cluster in the host setting.
    3. Provide the agent user credentials with the username and password settings.

    For example:

    marvel.agent.exporters:
      id1:
        type: http
        host: ["http://es-mon1:9200", "http://es-mon2:9200"]
        auth:
          username: agent-user
          password: password

    If SSL/TLS is enabled on the monitoring cluster:

    1. Specify the HTTPS protocol when setting the monitoring server host.
    2. Specify a truststore that contains the CA certificate to use to verify the identities of the nodes in the monitoring cluster. You need to set the truststore.path and truststore.password.

    For example:

    marvel.agent.exporters:
      id1:
        type: http
        host: ["https://es-mon1:9200", "https://es-mon2:9200"]
    
        auth:
          username: agent-user
          password: password
    
        ssl:
          truststore.path: /path/to/file
          truststore.password: password
      id2:
        type: local