Open in app

Sign in

Write

Sign in

Monitor docker logs of WSO2 Identity Server using ELK Stack (Elastic Stack)

Avarjana Panditha
5 min readSep 17, 2020

--

The following guide will be useful to monitor any docker image even though the title says this is for WSO2 IS docker image. You will know what to be changed to do so, once you are done with this. Let’s get to the good stuff now. This guide is mainly focusing for an Ubuntu environment.

The main goal of this article to guide you through,

  • How to setup WSO2 IS docker image to publish events to docker log file.
  • Configuring FileBeats to ship the docker logs to Logstash.
  • Configuring Logstash to receive FileBeats output.

Before you begin,

How to setup WSO2 IS docker image to publish events to docker log file.

First, you need to pull the WSO2 IS docker image. If you are interested to explore more about the WSO2 IS docker image please visit here.

docker pull wso2/wso2is

Pulling the docker image may take around 2–5 minutes which depends on your internet connection. Try to run and check if there are any problems once the pull command is completed. To run,

docker run -it -p 9443:9443 --name is wso2/wso2is

After the WSO2 IS started successfully, visit “https://localhost:9443” to check if the WSO2 IS is working. Since the pulled docker image does not contain the required configurations to publish the event data, we have to configure them manually for testing purposes. Create a file named “deployment.toml” and copy the following content into it.

[server]
hostname = "localhost"
node_ip = "127.0.0.1"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"[super_admin]
username = "admin"
password = "admin"
create_admin_account = true[user_store]
type = "read_write_ldap"
connection_url = "ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
base_dn = "dc=wso2,dc=org"      #refers the base dn on which the user and group search bases will be generated[database.identity_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "wso2carbon"
password = "wso2carbon"[database.shared_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "wso2carbon"
password = "wso2carbon"[keystore.primary]
name = "wso2carbon.jks"
password = "wso2carbon"[[event_listener]]
id = "authn_data_publisher_proxy"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"
name = "org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy" 
order = 11[identity_mgt.analytics_login_data_publisher]
enable=true[identity_mgt.analytics_session_data_publisher]
enable=true

The bold part is the newly added configs to enable event publishing from the WSO2 IS. These lines will not be there in the pulled docker image. Now we need to copy this file to the docker image we just pulled. Use the following command to do that,

sudo docker cp <pathToCreatedFile>/deployment.toml wso2is:/wso2is-5.10.0/repository/conf

For testing purposes, we will enable the Authentication event publisher. Same steps as previous one. Create a file named “IsAnalytics-Publisher-wso2event-AuthenticationData.xml” and put the following content there,

<?xml version="1.0" encoding="UTF-8"?>
<eventPublisher
  name="IsAnalytics-Publisher-wso2event-AuthenticationData"
  statistics="disable" trace="disable" xmlns="http://wso2.org/carbon/eventpublisher">
  <from streamName="org.wso2.is.analytics.stream.OverallAuthentication" version="1.0.0"/>
  <mapping customMapping="disable" type="json"/>
  <to eventAdapterType="logger">
    <property name="uniqueId">log_id</property>
  </to>
</eventPublisher>

Now copy this file to the pulled docker image. This will replace the current file inside.

sudo docker cp <pathToCreatedFile>/IsAnalytics-Publisher-wso2event-AuthenticationData.xml wso2is:/wso2is-5.10.0/repository/deployment/server/eventpublishers

What we have done so far is configured the WSO2 IS to publish Authentication events to the docker log file. If you restart the WSO2 IS via Docker and login to user portal “https://localhost:9443/user-portal” using default admin login, then you will see a log output in the docker log file. You can access the file from,

/var/lib/docker/containers/<container_id>/<containerid>-json.log

The file must contain all the logs from WSO2 IS as in,

<containerId>-json.log file

Configuring FileBeats to ship the docker logs to Logstash.

Now we need to configure the FileBeats to read the docker log file and ship it to our local Logstash instance. To do that, we need to edit the FileBeats config file which is located at,

/etc/filebeat/filebeat.yml

It will contain the default configurations of the FileBeats. First we have to change the input. In this YML file, there is a section named “filebeat.inputs”. Make sure the following configurations are there.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/lib/docker/containers/*/*.log

Make sure to check if these lines are there. No need to remove other default configurations since they will not affect us. Please give extra attention on the indentation because of the YML format. Otherwise there will be errors even though the configs are correct.

Next, we need to focus on the output. For that, we have to change the “output.logstash” part of the YML file. Make sure following lines are there.

output.logstash:
  hosts: ["localhost:5044"]

In YML, the “#” mark means that line is commented. Most probably the “output.logstash” line will be commented in the default configuration. Make sure to enable that by removing the leading “#” sign. Also comment out the “output.elasticsearch” option since we are using the full ELK stack which means we are shipping from Logstash to Elasticseach rather than directly publishing from FileBeats to Elasticsearch.

Now run the FileBeats service by executing the following command.

sudo service filebeat start

Make sure to check the status of the service to make sure that all the configs are correct and working fine.

sudo service filebeat status

If the “Active: failed” indication is there, then you must recheck the config file for mistakes. Otherwise you are good to go.

Active: Failed situation

Configuring Logstash to receive FileBeats output.

For the testing purpose Logstash will read the input from FileBeats and will print to StdOut. Following config file will do that for us,

input {
 beats {
      port => 5044
   }
}output {
 stdout{}
}

Save this as “<anyName>.conf” and then head down to the Logstash installation folder and execute the following command to run Logstash with this config,

sudo bin/logstash -f <pathToConfFile>/<confFileName>.conf

Now you can try login to the user portal and check the output of the Logstash stdout.

Screen capture of Logstash Stdout

Now you can add some filters to Logstash and FileBeat to get only the WSO2 IS related data as well as to filter out only the EventPublisher data. I will cover that part in a future article. Until then, happy coding :)

Wso2
Wso2is
Wso2 Is Analytics
Wso2 Iam

--

--

Avarjana Panditha
Avarjana Panditha

Written by Avarjana Panditha

52 Followers
16 Following

Software Engineer | WSO2

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams