24. 10. 2024 Reinhold Trocker Log Management, Log-SIEM

Categories of documents – create more namespaces within an agent’s environment

In the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog post deals with multi-dimensional namespaces and how NetEye’s Log-SIEM solution simplifies their management.

Understanding Multidimensional Namespaces

A namespace in IT is a container that holds a set of identifiers, ensuring that all names within it are unique. When we talk about multi-dimensional namespaces, we refer to namespaces that span multiple dimensions, such as time, location, and context. These are particularly common in large-scale IT environments where resources and services are distributed across various regions and time zones.

Potential challenges in managing multidimensional namespaces

  1. Complexity: Managing namespaces across multiple dimensions can be complex
  2. Scalability: As the number of dimensions increases, the scalability of the namespace management system becomes a critical concern
  3. Consistency: Ensuring consistency across different dimensions and avoiding conflicts is a significant challenge

An example two-dimensional Namespace

Let’s assume that within the collected logs in your SIEM system, you classify the servers (document sources) into the following two dimensions:

  • Customer/tenant (customer A, customer B, customer C)
  • Environment (development, test, production)

We are used to create Elastic Agent Policies using its namespace functionality either:

  • For each customer/tenant
  • For each environment

Three simple solutions

Solution 1: A naming convention approach to two-dimensional namespaces

Continuing with the example above, we assume there are only 3 different tenants and 3 environments. You could use the namespace functionality of Elastic to map the two dimensions by just combining two strings as in the following table:

Elastic namespace
(data_set.namespace)		DevelopmentTestProduction
customerAcustomer_a.devcustomer_a.testcustomer_a.prod
customerBcustomer_b.devcustomer_b.testcustomer_b.prod
customerCcustomer_c.devcustomer_c.testcustomer_c.prod
naming convention approach

Here you can see that there are 3×3=9 namespaces, and correspondingly 9 Elastic Agent Policies that you’ll have to create and maintain.

Pros:

  • For access rights (authorization), you can continue to assign indices to different user groups (i.e., the tenant customerA would get access to all logs-*-customer_a.*)

Cons:

  • You can imagine that with growing numbers (let’s say you acquire 10 more customers), this will quickly grow and lead to a scalability problem doing manual policy management.
  • Imagine that the dev and test environments in the above example produce only a very limited number of logs. In that case two thirds of indices in our Elastic infrastructure would be nearly empty, even though Elastic resources are bounded.

Solution 2: Multidimensional namespaces with environment variables

In the example above, the two categories/dimensions can be seen as two properties of a SIEM document. Setting one field per (additional) category in the SIEM document is the easiest way to save this information.

The question is: how can we manage the additional category information without diminishing the Elastic namespace functionality.

In our example you’d probably use the Elastic namespace functionality for the customer/tenant information like this:

Elastic namespace
(data_set.namespace)		Any environment
customerAcustomerA
customerBcustomerB
customerCcustomerC

The missing environment information then has to be “injected” in some other way.

Curious how this works? Please see the next paragraph 😉

Solution 3: Practical implementation

The missing environment information can be “injected” using environment variables on the operating system (server) which is running an Elastic Agent instance. Such servers usually only reside in one environment, in other words: a server is either a development server or a test server or a production server.

The following explains how to set the environment variable EA_ENVIRONMENT and how to add this field to incoming documents, using the Elastic 8.15+ feature add-custom-fields to set document field service.environment to the content of EA_ENVIRONMENT variable.

Set Windows environment variable on Elastic Agent of log source

Follow these steps to change the environment variable on each computer of the log source (on which Elastic Agent is running) on which you want to set the specific environment variable:

Store the new categories information you want to set, into a new multi string value named “Environment” within registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Elastic Agent.

Add Linux environment variable on Elastic Agent of log source

Usually a tgz-deployed Elastic Agent in a Linux OS reads its environment variables from /etc/sysconfig/elastic-agent. You can use the following script to add an entry in that file:

if [ -d /etc/sysconfig ]; then echo  EA_ENVIRONMENT=test >> /etc/sysconfig/elastic-agent; else mkdir /etc/sysconfig; echo  EA_ENVIRONMENT=test >> /etc/sysconfig/elastic-agent;fi

Configure the Elastic Agent policy

For every (one-dimensional) Elastic Agent policy and every new category information which you previously stored at the agent side, use the feature add-custom-fields to set the additional fields with the stored content:

  1. Choose your Elastic Agent policy
  2. Go to the Settings tab
  3. Click on the “Add another field” button
  4. Add the field name you want to find in your document
  5. Add the desired (previously set) environment variable
    (in this example ${env.EA_ENVIRONMENT|''})

  6. In “Output for integrations” used by the agent policy to use the env provider in the section “Advanced YAML configuration”, set
providers:
  env:
    enabled: true

Example Result

Notes

This solution relies on the fact that every Elastic Agent instance is only a part of one category of the wanted additional namespace (in this example “environment”).

If you want additional dimensions, just repeat the steps of:

  • Adding environment variables
    and
  • Adding “Add another field” in elastic agent policies
    The part |'' of the variable reference is only to make sure that a non-set environment variable will be interpreted as empty, see alternative variables and constants

If you have roles that should only have access to a subset of the new namespace, please refer to Document level security

Conclusion

Handling multi-dimensional namespaces can be easily done by setting environment variables where the Elastic Agent is running, and using its definition in the Elastic Agent policy that is used by this Elastic Agent.

These Solutions are Engineered by Humans

Did you find this article interesting? Does it match your skill set? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.

Reinhold Trocker

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Author

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Latest posts by Reinhold Trocker

08. 11. 2024 Log Management, Log-SIEM
Configuring EnvironmentFile for Elastic Agents on NetEye Nodes
16. 02. 2024 Log-SIEM, NetEye
Enabling Elastic Agents Upgrades in Restricted or Closed Networks
19. 10. 2023 Log Management, Log-SIEM
Integration of Elasticsearch Clients without Authentication and without TLS
12. 10. 2023 Log Management, Log-SIEM
stunnel TCP keepalive Settings Preventing Firewall from Blocking Log Traffic
See All

Related Content

Tags: , ,

03. 12. 2024 ITOA, NetEye

Grafana 11 compatibility

Scenario NetEye4 provides a graphical engine to represent time series data stored into Influx database: Grafana engine accessible through the ITOA menu on the left side. Grafana is very powerful: its dashboards are built up of panels. A lot of Read More
22. 11. 2024 Atlassian, Service Management

Managing Alerts with JSM: Focus on Incident Management – Part 1

Alerts are critical signals that demand immediate attention to minimize disruptions and maintain smooth operations. Proactively managing alerts throughout their lifecycle is key to effective event-driven workflows, incident response, and business continuity. By leveraging alerting tools within Jira Service Management Read More
06. 11. 2024 AI, Log-SIEM, Machine Learning, NetEye

The New NetEye User Guide Search: From POC to Production

Hello everyone! As you may remember, a topic I like to discuss a lot on this blog is the Proof of Concept (POC) about how we could enhance search within our online NetEye User Guide. Well, we're happy to share Read More
02. 10. 2024 Log Management, Log-SIEM, Machine Learning, NetEye

Perform KNN Classification Using Elasticsearch

Hey everyone! We played around a bit last time with our radar data to build a model that we could train outside Elasticsearch, loading it through Eland and then applying it using an ingest pipeline. But since our data is Read More
11. 09. 2024 Contribution, Development, DevOps

Ansible Development, Part 1: Building an Execution Environment

Right now, at Würth Phoenix, we are investing in automating most of our operations using Ansible. You're probably already familiar with what Ansible does, but to summarize, Ansible is an open-source, command-line IT automation application written in Python. I've talked Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive