Configuring the Airlock Secure Access Hub reporting bundle
Airlock Gateway and Airlock IAM can be configured to send their logs directly to an external Elasticsearch and Kibana (EK) stack. This article describes how to move reporting off the appliance by using the external reporting bundle to deploy and/or configure an EK stack for Airlock Gateway logs and/or Airlock IAM logs. On the appliance itself, Airlock Gateway provides a local reporting system based on EK that runs on the same host as the web application firewall, while Airlock IAM can expose logging and reporting information through log files, by appending log messages to stdout or by forwarding log messages to an external EK instance.
The Airlock Secure Access Hub reporting bundle configures an external EK instance so that logs can be stored and visualized. We recommend the reporting bundle for the following scenarios:
- Reporting should be centralized to merge logs from multiple instances of Airlock Gateway.
- Reporting should be centralized to correlate logs from Airlock Gateway and Airlock IAM.
- Logs from different sources should be integrated into an existing EK infrastructure.
- Reporting must be offloaded to dedicated hosts to improve availability, performance, and disk-space scalability.
What the reporting bundle provides
The reporting bundle can be used with preconfigured EK instances. It provides the following content.
- Elasticsearch content: index templates/mappings and ingest pipelines
- Kibana content: saved objects (index patterns, searches, visualizations, dashboards)
All other aspects of configuring the EK stack (e.g. high availability, authentication) are outside the scope of the reporting bundle.
Configuration
Version compatibility
Use the bundle version that matches your Elasticsearch version. Mismatched versions are not supported. For details about version dependencies, refer to the relevant download page on Techzone.
Configuring Airlock IAM to use external Elasticsearch
Configuration is done in the IAM instance's configuration file:
$IAM_CONFIG_ROOT/instances/<your instance>/instance.properties
Use the following property to define the external Elasticsearch endpoint:
iam.log.elasticsearch.url
Set this property to the Elasticsearch URL where log files should be sent, for example http://elasticsearch.example.com:9200/
Configuring an existing EK deployment
Prerequisites: a Unix shell and cURL.
- Download and unzip the reporting bundle from the relevant download page on Techzone.
- Change into the directory of the unzipped reporting bundle.
- Optional: By default, the scripts set up all the necessary components for both Airlock Gateway and Airlock IAM. You can omit configuring Gateway-specific content by uncommenting the
#export NO_WAF=1line. - Apply the Elasticsearch configuration by running the following command:
- Terminal box
./setup-ek/elasticsearch/setup-elasticsearch.sh http://elasticsearch:9200
- Apply the Kibana configuration by running the following command:
- Terminal box
./setup-ek/kibana/setup-kibana.sh http://kibana:5601
Deploying an EK test setup
The following solution is for testing only.
- Production deployments must ensure high availability of the reporting service and implement log data archiving (e.g., audit logs).
- Download and unzip the reporting bundle from the relevant download page on Techzone.
- Change into the directory of the unzipped reporting bundle.
- Run the following command:
- Terminal box
docker-compose up --build
- Upon execution, Docker pulls and starts Elasticsearch and Kibana; the setup then configures Elasticsearch (index templates, ingest pipelines) and imports saved objects from Kibana (searches, visualizations, dashboards) for Airlock Gateway and/or Airlock IAM.
The following table summarizes default hosts, ports, and URLs for the test setup and links to the vendor documentation:
Property | Elasticsearch | Kibana |
|---|---|---|
|
|
|
|
|
|
|
|
|
| Elasticsearch returns a JSON info document about the deployment. | Kibana starts the web UI. |
Further information |