Add azure module doc #9510
Add azure module doc #9510
Conversation
|
@acchen97 @jakelandis Not ready for review, but I want to get your input on content and direction. |
docs/static/azure-module.asciidoc
Outdated
| === Azure Module [Experimental] | ||
| experimental[] | ||
|
|
||
| The https://azure.microsoft.com/en-us/overview/what-is-azure/[Microsoft Azure] module in Logstash helps you easily integrate your Azure |
There was a problem hiding this comment.
Can we put some more detail on what the module does? Maybe something like the below...
"The Logstash Azure module enables you to easily monitor your Azure cloud environments and SQL DB deployments with deep operational insights across multiple Azure subscriptions. Explore the health of your infrastructure in real-time to accelerate root cause analysis and decrease overall time to resolution.
- Analyze infrastructure changes and authorization activity
- Identify suspicious behaviors and potential malicious actors
- Perform root-cause analysis by investigating user activity
- Monitor and optimize your SQL DB deployments"
docs/static/azure-module.asciidoc
Outdated
|
|
||
|
|
||
| [[azure-prereqs]] | ||
| ==== Prerequisites |
There was a problem hiding this comment.
We also need to add or link to instructions for setting up Azure Monitor on the Azure side. Azure Monitor centralizes the logs to an Event Hub which we ingest from.
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-azure-monitor
There was a problem hiding this comment.
Specifically: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs and https://docs.microsoft.com/en-us/azure/sql-database/sql-database-metrics-diag-logging for how to setup on Azure side of things. "Stream to an event hub" option for the latter.
| suite of {kib} dashboards to help you start exploring your data immediately. | ||
|
|
||
| [[azure-dashboards]] | ||
| ==== Dashboards |
docs/static/azure-module.asciidoc
Outdated
|
|
||
| These {kib} dashboards are available and ready for you to use. | ||
|
|
||
| * *Overview*. Top-level view into your Azure operations, including info about users, resource groups, service health, access, activities, and alerts. |
There was a problem hiding this comment.
Should we group these into two logical sections?
- "Infrastructure Activity Monitoring" - Overview, User Activity, and Alerts
- "SQL DB Monitoring" - SQL DB Overview, SQL DB Database View, SQL DB Queries
|
I like the direction, left a few comments. Happy to discuss live if you'd like. |
docs/static/azure-module.asciidoc
Outdated
| To get started with the Azure module: | ||
|
|
||
| . Install the {logstash-ref}/plugins-inputs-azure_event_hubs.html[azure_event_hubs | ||
| plugin]. |
There was a problem hiding this comment.
no need to install plugin. it is a default plugin as of 6.4
docs/static/azure-module.asciidoc
Outdated
|
|
||
| ["source","shell"] | ||
| ----- | ||
| bin/logstash-plugin install logstash_input_azure_event_hubs |
There was a problem hiding this comment.
no need to install plugin
docs/static/azure-module.asciidoc
Outdated
| [[azure-module-setup]] | ||
| ===== Set up the module | ||
|
|
||
| TBD: From the LS directory? |
docs/static/azure-module.asciidoc
Outdated
| You can specify <<azure_config_options, options>> for the Logstash Azure module in the | ||
| `logstash.yml` configuration file or with overrides through the command line. | ||
|
|
||
| The azure_event_hubs plugin and the Azure module support two configuration |
There was a problem hiding this comment.
there are really 3 configuration modes, command line, basic, and advanced.
command line = 1 event hub
basic = multiple event hubs same config
advanced = multiple event hubs different config
I think it makes sense to document it this way instead of the 2 ways with the caveat that basic has two ways (command line vs. yml) and the command line only supports a single event hub.
docs/static/azure-module.asciidoc
Outdated
| `event_hub_connection`. | ||
|
|
||
| [id="plugins-{type}s-{plugin}-config_mode"] | ||
| ===== `config_mode` |
There was a problem hiding this comment.
the config mode is chosen automatically based on the yaml, no need to document here.
docs/static/azure-module.asciidoc
Outdated
|
|
||
| [source,ruby] | ||
| ---- | ||
| azure_event_hubs { |
There was a problem hiding this comment.
we should avoid using the plugin examples. the module maps the yaml configuration to the plugin configuration. I think the descriptions (for the most part) apply, but the examples, if any provided, should be in the yaml style.
For example:
var.input.azure_event_hubs.event_hubs:
- ["name", "event_hub_connection", "storage_connection", "initial_position", "decorate_events"]
- ["insights-operational-logs", "Endpoint=sb://example1...", "DefaultEndpointsProtocol=https;AccountName=example1....", "HEAD", "true"]
- ["insights-metrics-pt1m", "Endpoint=sb://example2...", "DefaultEndpointsProtocol=https;AccountName=example2....", "TAIL", "true"]
There was a problem hiding this comment.
@jakelandis Gotcha.
WRT: "the examples, if any provided..."
Before I do a lot of unnecessary reformatting, let's decide if we need the examples at all. If we need just a few examples, I'll focus on reworking those.
There was a problem hiding this comment.
maybe we can provide a an example of how to map the input the options to yaml, and then hyperlink each of the options to the input documentation. Maybe just a bullet list of the linked options ?
docs/static/azure-module.asciidoc
Outdated
| [[run-azure]] | ||
| ==== Start the module | ||
|
|
||
| Run this command from the Logstash install directory: |
There was a problem hiding this comment.
Run this command from the Logstash install directory (with the logstash.yml properly configured) ?? ...or something like that.
There was a problem hiding this comment.
@jakelandis These are fantastic comments, and the updates are going well. Link ^^ isn't working for me. Can you point me in the right direction, please?
NM. I think I know what you're getting at.
docs/static/azure-module.asciidoc
Outdated
|
|
||
| Many of the logs contain a "properties" top level field. This is often where the | ||
| most interesting data lives. There is not a fixed schema between log types for | ||
| properties fields coming from different sources. This can cause mapping errors |
There was a problem hiding this comment.
This can cause mapping errors ...
Can we nuke that sentence ? We cover it later with "To avoid mapping errors, ..."
docs/static/azure-module.asciidoc
Outdated
|
|
||
|
|
||
|
|
||
| ==== Testing |
There was a problem hiding this comment.
let's leave this section out entirely ... i think it makes for the readme, but not the ascii doc.
|
@jakelandis @acchen97 Ready for another look. |
docs/static/azure-module.asciidoc
Outdated
| `event-hub-connections`. The the advanced configuration uses `event_hubs` and | ||
| `event_hub_connection`. | ||
|
|
||
| [id="plugins-{type}s-{plugin}-event_hubs"] |
There was a problem hiding this comment.
You shouldn't use the type and plugin attributes here. This convention is used in the plugin docs only. The attributes get set for each topic in the plugin docs and don't exist in the other parts of the Logstash Reference. The book probably builds without errors right now because the build ignores unresolved attributes 😱. However, if someone references this ID, the link will break. Use [[event_hubs]] instead, and make sure you change the other IDs in this topic. I'm guessing you must have copied this over from some plugin docs. :-) Easy mistake....
|
|
||
| [cols="<,<,<",options="header",] | ||
| |======================================================================= | ||
| |Name |Description|Notes |
There was a problem hiding this comment.
Tables can render strangely in our docs right now if there are long words (dotted names are often that problem) that result in text overrunning the navigation widget. Generally we try to avoid using complex tables (with more than two columns). At this point, I'd just check the output to see if there are overruns and use a different format strategy (maybe definition lists) if there are issues.
There was a problem hiding this comment.
Looks good on local build. Will verify again.
docs/static/azure-module.asciidoc
Outdated
|
|
||
| Microsoft is the best source for the most up-to-date Azure information. | ||
|
|
||
| * [Overview of Azure Monitor]https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-azure-monitor |
There was a problem hiding this comment.
This is markdown, not asciidoc formatting. Ditto for the other items in this list.
There was a problem hiding this comment.
Doh! Is this correct?
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-azure-monitor[Overview of Azure Monitor]
There was a problem hiding this comment.
Looks right to me! Using the wrong link format is a common mistake for the dev team because they have to switch between markdown and asciidoc all the time.
docs/static/azure-module.asciidoc
Outdated
|
|
||
| Connection string that identifies the Event Hub to be read. Advanced | ||
| configuration options can be set per Event Hub. This option modifies | ||
| `event_hub_name`, and should be nested under it. (See sample.) This option |
There was a problem hiding this comment.
I'm just skimming for issues, but it seems like "See sample" is an incomplete sentence and perhaps needs a link
docs/static/azure-module.asciidoc
Outdated
| * Value type is <<boolean,boolean>> | ||
| * Default value is `false` | ||
|
|
||
| Adds metadata about the Event Hub, including Event Hub name, consumer_group, |
There was a problem hiding this comment.
Should these be formatted in backticks? If not, maybe change this to say consumer group, processor host, and so on (without underscores).
docs/static/azure-module.asciidoc
Outdated
| properties fields coming from different sources. | ||
|
|
||
| For example, one log may have | ||
| properties.type where one log sets this a String type and another sets this an |
There was a problem hiding this comment.
usually we format field names in backticks.
docs/static/azure-module.asciidoc
Outdated
| - ["insights-operational-logs", "Endpoint=sb://example4...", "DefaultEndpointsProtocol=https;AccountName=example4....", "HEAD", "true"] | ||
| ----- | ||
|
|
||
| ===== Map input options to the logstash.yml file |
There was a problem hiding this comment.
I think we leave out this section entirely, the examples above should be sufficient.
docs/static/azure-module.asciidoc
Outdated
| ===== `event_hubs` | ||
| * Value type is <<array,array>> | ||
| * No default value | ||
| * Ignored for basic configuration |
There was a problem hiding this comment.
nit: Ignored for basic and command line configuration.
docs/static/azure-module.asciidoc
Outdated
| * Ignored for basic configuration | ||
| * Required for advanced configuration | ||
|
|
||
| Defines the Event Hubs to be read. An array of hashes where each entry is a |
There was a problem hiding this comment.
This is slightly different for the yaml...
How about:
Defines the per Event Hubs configuration for the advanced configuration (<- link to above).
docs/static/azure-module.asciidoc
Outdated
| ===== `event_hub_connections` | ||
| * Value type is <<array,array>> | ||
| * No default value | ||
| * Required for basic configuration |
There was a problem hiding this comment.
nit: Required for basic and command line configuration
and * Ignored for advanced configuration.
docs/static/azure-module.asciidoc
Outdated
| List of connection strings that identifies the Event Hubs to be read. Connection | ||
| strings include the EntityPath for the Event Hub. | ||
|
|
||
| The `event_hub_connections` option is defined |
There was a problem hiding this comment.
I think we can remove this sentence.
edit: both sentences, actually.
docs/static/azure-module.asciidoc
Outdated
|
|
||
|
|
||
| [id="plugins-{type}s-{plugin}-event_hub_connection"] | ||
| ===== `event_hub_connection` |
There was a problem hiding this comment.
This is a bit tricky... and we may want to deviate from the plugin doc a bit here.
I would suggest to remove this section entirely, and take the note on line 208 and put it (or make a new similar one) under 'event_hubs' . I think that will sufficiently document this options.
Since we are de-emphasizing the advanced config, and for YAML this only appears in the table name row (not a top level config option like in the plugin), it feels better to leave this out.
docs/static/azure-module.asciidoc
Outdated
| * [Azure SQL Database metrics and diagnostics logging]https://docs.microsoft.com/en-us/azure/sql-database/sql-database-metrics-diag-logging | ||
| * [Stream the Azure Activity Log to Event Hubs]https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-stream-activity-logs-event-hubs | ||
|
|
||
|
|
There was a problem hiding this comment.
Do we want to include a best practice section like here: https://github.com/logstash-plugins/logstash-input-azure_event_hubs/blob/master/docs/index.asciidoc#best-practices ?
docs/static/azure-module.asciidoc
Outdated
| ----- | ||
|
|
||
| [[azure_config_options]] | ||
| ===== Configuration options |
There was a problem hiding this comment.
Can we add a quick blurb about prefixing the configuration options ? With an example or two?
For example:
threads configuration
Command line:
-M "azure.var.input.azure_event_hubs.threads=8"
Basic:
var.input.azure_event_hubs.threads: 8
Advanced:
var.input.azure_event_hubs.event_hubs:
- ["name", "event_hub_connection", "threads"]
- ["insights-operational-logs", "Endpoint=sb://example1...", 8]
|
@karenzone - this is looking really good. I left some comments, please take them as suggestions not must dos. |
|
FYI - I'm still working to resolve the comment about prefixing config option. Wanted to get this back out to review quickly so @acchen97 can see where we are. @jakelandis WRT #9510 (comment). Please see if I resolved this issue the way you wanted it. |
docs/static/azure-module.asciidoc
Outdated
| * **Create a {ls} consumer group.** | ||
| Create a new consumer group specifically for {ls}}. Do not use the $default or | ||
| any other consumer group that might already be in use. Reusing consumer groups | ||
| among non-related consumers can cause expected behavior and possibly lost |
There was a problem hiding this comment.
typo: can cause unexpected behavior ?
There was a problem hiding this comment.
Looks good overall! Left some comments, though some of them are nits. Thanks for all your hard work on this @jakelandis @karenzone
docs/static/azure-module.asciidoc
Outdated
| [[azure-dashboards]] | ||
| ==== Dashboards | ||
|
|
||
| These {kib} dashboards are available and ready for you to use. You can use them they are, or tailor them to meet your needs. |
There was a problem hiding this comment.
You can use them as they are
docs/static/azure-module.asciidoc
Outdated
|
|
||
| * *Overview*. Top-level view into your Azure operations, including info about users, resource groups, service health, access, activities, and alerts. | ||
|
|
||
| * *Alerts*. Alert info, including activity, alert status (activated, resolved, succeeded), and alerts heatmap |
There was a problem hiding this comment.
Sorry this is a nit but we can prob remove the "(activated, resolved, succeeded)" bit
docs/static/azure-module.asciidoc
Outdated
|
|
||
| * *User Activity*. Info about system users, their activity, and requests. | ||
|
|
||
| ===== SQL database monitoring |
There was a problem hiding this comment.
For branding purposes, can we capitalize "Database"?
There was a problem hiding this comment.
Same for the instances below as well
docs/static/azure-module.asciidoc
Outdated
|
|
||
| * *SQL DB Database View*. Detailed info about each SQL database, including wait time, errors, DTU and storage utilization, size, and read and write input/output. | ||
|
|
||
| * *SQL DB Queries*. Info about SQL database queries, including DTU Utilization, errors, and query duration and wait time. |
There was a problem hiding this comment.
Let's exclude the last bit here. Just "info about SQL Database queries and performance" is fine.
| The Elastic Stack version 6.4 (or later) is required for this module. | ||
|
|
||
| NOTE: Logstash, Elasticsearch, and Kibana must run locally. You can also run | ||
| Elasticsearch, Kibana and Logstash on separate hosts to consume data from Azure. |
There was a problem hiding this comment.
I'm aware other modules like ArcSight have a similar statement here. To clarify the context, should be start this with "For these instructions below..."?
There was a problem hiding this comment.
Seems like the Prereqs designation and the flow of the topic implies order. I avoid extra words whenever possible because "the more you write, the less people read."
If you feel strongly that there is risk of confusion, I will add.
docs/static/azure-module.asciidoc
Outdated
| [[azure-module-prereqs]] | ||
| ==== Prerequisites | ||
|
|
||
| The Elastic Stack and Microsoft Azure Event Hubs are required for this module. |
There was a problem hiding this comment.
Perhaps more accurately for the Azure side: "must have Azure Monitor enabled with Azure Event Hubs"
docs/static/azure-module.asciidoc
Outdated
| Event Hubs. The `--setup` option creates an `azure-*` index pattern in | ||
| Elasticsearch and imports Kibana dashboards and visualizations. | ||
|
|
||
| NOTE: The `--setup` option is intended only for first-time setup. If you include `setup` on subsequent runs, your existing Kibana dashboards will be overwritten. |
There was a problem hiding this comment.
Second "setup" here is missing the "--"
| Here are some guidelines to help you avoid data conflicts that can cause lost | ||
| events. | ||
|
|
||
| * **Create a {ls} consumer group.** |
There was a problem hiding this comment.
@jakelandis are these best practices on the Azure website that we could link to or did you curate them yourself? My concern is that this content may go stale based on new Event Hub releases.
There was a problem hiding this comment.
I curated them. I don't think the existing suggestions here will ever go out of fashion since it is at the core of how the event hubs work. However, there may be new (or existing) best practices not represented here.
The only best practice I found from MS is https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#best-practices and most of their documentation is standard howto, configuration, pricing, etc. Not much consumer guidance.
There was a problem hiding this comment.
Got it, thanks for the insight.
docs/static/azure-module.asciidoc
Outdated
|
|
||
| NOTE: All Event Hubs options are common to both basic and advanced | ||
| configurations, with the following exceptions. The basic configuration uses | ||
| `event-hub-connections`. The the advanced configuration uses `event_hubs` and |
There was a problem hiding this comment.
@jakelandis this seems a bit confusing from a usability standpoint. The minor syntactical difference here may throw users off. Can you elaborate on why this is the case?
There was a problem hiding this comment.
I'm happy to wait for more user feedback before we think too much into it though.
There was a problem hiding this comment.
this seems a bit confusing from a usability standpoint
agreed. but needed.
The minor syntactical difference here may throw users off. Can you elaborate on why this is the case?
So... the configuration is either (pseudo configuration for illustration, not exact syntax):
event-hub-connections=[connection1, connection2, ...]
threads=8
or
event-hubs
|__ event-hub-connection=connection1, threads=8
|__ event-hub-connection=connection2, threads=4
the former supports many connections (hence the plural) the latter supports only 1 connection (hence the singular)
This is the same behavior as the input plugin for basic vs. advanced configuration. I think a user should see the discouragement of the advanced configuration (above) and not concern themselves with this ... or would copy/paste the example as a starting point (which has the correct syntax).
There was a problem hiding this comment.
Got it, then in that case there may be a typo for the advanced config option as it says event_hubs with an underscore rather than a dash. /cc @karenzone
There was a problem hiding this comment.
sorry, the underscores (and documentation) are correct. my above comment incorrectly used dashes instead of underscores.
There was a problem hiding this comment.
actually... there is a typo above event-hub-connections should be event_hub_connections @karenzone sorry if misled you. All options should use underscores not dashes.
There was a problem hiding this comment.
Corrected typo here and in azure_event_hubs plugin doc. Called attention to plural/singular treatment for emphasis. Let me know if this helps clarify.
|
|
||
| ==== Azure module schema | ||
|
|
||
| This module reads data from the Azure Event Hub and adds some additional structure to the data for Activity Logs and SQL Diagnostics. The original data is always preserved and any data added or parsed will be namespaced under 'azure'. For example, 'azure.subscription' may have been parsed from a longer more complex URN. |
|
@karenzone - nice work! LGTM |
| * `look_back` reads `end` minus a number of seconds worth of pre-existing events. | ||
| You control the number of seconds using the `initial_position_look_back` option. | ||
|
|
||
| Note: If `storage_connection` is set, the `initial_position` value is used only |
There was a problem hiding this comment.
Need to write NOTE not Note if you want this to render in a note box.
There was a problem hiding this comment.
Thanks for looking. In this case, I wanted to call out the info, but not with as much emphasis as the note box.
Rework of unreleased Azure module content after redesign